More than one in three of corporate employees in Africa are vulnerable to phishing attacks and social engineering scams. However, regular training can significantly reduce their chances of falling victim to such cyberthreats.
This is among the key findings of KnowBe4’s 2023 Phishing by Industry Benchmarking Report for Africa, which measures organisations’ Phish-prone Percentage (PPP) – an indication of how many of their employees are likely to fall for phishing or a social engineering scam.
The report is based on data from over 12.5 million users across 35,681 organisations in 19 different industries. The results of over 32.1 million simulated phishing security tests are also included. This year’s report details international phishing benchmarks from North America, The United Kingdom, Ireland, Europe, Africa, South America, Asia, Australia and New Zealand.
In Africa, 412 organisations from South Africa, Kenya, Nigeria and Botswana participated in the phishing simulation tests, with a total of 337,937 emails sent. The majority of these organisations (58%) were small (1-249 employees), followed by medium (26%, 250-999 employees) and large (16%, 1,000+ employees) ones.
The resulting baseline PPP measured the percentage of employees in organisations that had not conducted any KnowBe4 security training and clicked a simulated phishing email link or opened an infected attachment during testing.
African business users had a lower baseline PPP than many other regions, meaning they were less likely to fall for phishing attacks before any training. However, their improvement after 90 days of training was also lower than other regions. After a year of on-going training, African users achieved a 79.8% improvement in their PPP, showing the effectiveness of consistent security awareness education.
Africa’s human firewall
The report shows that without security training, 33.2% of employees across all regions and industries are likely to fall for phishing attacks or fraudulent requests. Africa’s average was 32.8%, slightly better than the global average and much better than South America, where the average was 41.1%. Asia had the lowest rate of phishing – 30%.
Training slashes risk
Ninety days after training, Africa’s PPP average was 20.5% compared to the global average of 18.5%. After a year of consistent training, Africa’s PPP was 6.6%, compared to a global average of 5.4%, indicating that new habits become normal, fostering an improved security culture.
At baseline, Africa’s medium-sized enterprises had the lowest PPP – at 29.4%, followed by small enterprises at 30% and large enterprises with a surprisingly high 33.3%. After training, large enterprises performed best, with a PPP average of 19% 90 days after training and 5.7% after a year. Medium-sized enterprises improved to 22.7% 90 days after training, and 10.5% after a year. Small enterprises’ PPP improved to 25.2% after 90 days and 9% after a year.
The report also revealed which industries are most vulnerable to cyberthreats and have the highest PPP. Across small and medium organisations globally, the healthcare and pharmaceuticals industries had the highest PPP of 32.3% and 35.8%, respectively. In large organisations, the insurance industry remained the most at risk for a second consecutive year with a PPP of 53.2% globally.