cross post from KnowBe4’s blog!
KnowBe4’s 2021 Phishing By Industry Benchmarking Report Reveals that 31.4% of Untrained End Users Will Fail a Phishing Test
If you aren’t familiar with our Phishing by Industry Benchmarking Report, let me catch you up. The purpose of this report is to analyze and understand the impact of a new-school security awareness approach on an organization’s susceptibility to phishing or social engineering attacks. To do this, we analyze data from three phases:
- Phase One : If you haven’t trained your users and you send a phishing attack, what is the initial resulting PPP? To do this, we monitored employee susceptibility to an initial baseline simulated phishing security test. From that established set of users, we look at any time a user has failed a simulated phishing security test prior to having completed any training.
- Phase Two : What is the resulting PPP after users complete training and receive simulated phishing security tests within 90 days after training? We answered this question by finding when users completed their first training event and looking for all simulated phishing security events up to 90 days after that training was completed.
- Phase Three : What is the final resulting PPP after users take ongoing training and monthly simulated phishing tests? To answer this, we measured security awareness skills after 12 months or more of ongoing training and simulated phishing security tests, looked for users who completed training at least one year ago, and took the performance results on their very last phishing test.
This year’s inclusion dataset spanned 19 industries and comprised over 6.6 million users across 23,400 organizations with over 15.5 million simulated phishing security tests.
Here’s what we found:
For 2021, the overall PPP baseline average across all industries and size organizations was 31.4%, meaning just less than a third of an average company’s employee base could be at risk of clicking on a phishing email. However, only 16.1% of those same users will fail within 90 days of completing their first KnowBe4 training. After at least a year on the KnowBe4 platform only 4.8% of those users will fail a phishing test. Organizations improved their susceptibility to phishing attacks by an average of 84% in one year by following our recommended approach.