KnowBe4's 2022 Phishing By Industry Report

By: Marco
September 14, 2022

There are many different kinds of cyberattacks, but 91% of them begin the same way — with a simple spear phishing email. Phishing scams pose a significant threat to organizations of every size. Despite this, roughly 20% of workplaces only deliver phishing awareness training to their employees annually, and some provide no training at all.

Fortunately, there are comprehensive solutions available to safeguard your organization against phishing. KnowBe4’s security awareness training, in particular, is state-of-the-art.

What is KnowBe4?

KnowBe4 provides world-class security awareness training through a series of automated campaigns, simulated attacks, and enterprise-strength reporting to track progress. The company also provides an in-depth annual report.

What’s Inside the KnowBe4 Phishing by Industry Report?

The most recent report analyzed data from 9.5 million users across over 30,000 organizations with over 23.4 million simulated phishing tests. This data was used to generate a percentage of how many employees are phish-prone by industry and also illustrate the effectiveness of long-term training.

This report includes the following information:

  • New phishing benchmark data for 19 industries
  • Who’s susceptible to phishing and what you can do about it
  • Tips to boost your defenses against phishing
  • The value of security awareness training

What did the 2022 Report Reveal?

Even though email security has gotten a significant amount of attention in recent years, susceptibility to phishing remains shockingly high.

The overall 2022 Phish Prone Percentage (PPP) average across all surveyed industries of all sizes was 32.4%, representing a one-point increase from 2021. That means that without specialized security awareness training, one out of three employees is likely to click on a suspicious link or email or comply with a fraudulent request. However, there was some variety across different industries.

Wondering just how phish prone your colleagues are? Make your predictions and read on. Remember, extremely low PPP scores are desirable!

Small Organizations (1-249 Employees, U.S.)

Although the education industry showed some improvement from the previous year, it still had the highest PPP, at 32.7%. Healthcare and pharmaceuticals followed with 32.5%, and retail and wellness took the third spot, at 31.5%. The lowest PPP in small organizations was banking, with a PPP of 25.4%.

Mid-Sized Organizations (250-999 Employees, U.S.)

Mid-sized organizations didn’t change much from last year. The hospitality industry took the top PPP spot, with 39.4%, followed by healthcare and pharmaceuticals at 36.6%, and energy and utilities at 34%. Government organizations fared much better, at 26.4%. Here’s a bit of good news: while the top three stayed in the top three, their scores all showed some improvement.

Large Organizations (1,000 Employees or More, U.S.)

Energy and utilities went from having the highest PPP to the third highest, at 50.9%. Insurance took their place at 52.3%. The consulting industry followed, with a PPP of 52.2%. Large hospitality organizations actually fared best in this group, with a PPP of 20.4%.

Good and Bad News for American Organizations

Some industries showed significant improvement over last year, including large construction companies. But large consulting companies, unfortunately, jumped from 28.4% to 52.2% in a single year. And large banking, healthcare and pharmaceutical, and energy and utility organizations still have PPPs higher than 40%.

What Does the Report Say About KnowBe4 Training?

After only 90 days of security awareness training, organizations overall made significant progress, dropping their PPP to 17.6%. Among small organizations, education experienced the most significant decrease. Hospitality organizations made the greatest progress among mid-sized organizations, and among larger organizations, insurance cut their PPP by 67%, going from 52.3% to just 17.3%.

After a year of ongoing training, the average PPP made another dramatic drop to just 5%, which represents an 85% improvement. The banking industry did even better among small to mid-sized organizations, scoring 2.6% and 3.3%, respectively. Among larger organizations, hospitality reduced their PPP to a mere 1.3%.

Key Takeaways From the KnowBe4 Phishing Report

Baseline PPP data and additional data following training reveal the following: 

  • Every organization is at serious risk without new-school security awareness training. Almost a third of American workers are highly susceptible to social engineering and phishing scams.
  • Every organization can see significant improvement through robust and ongoing training, including simulated phishing scenarios and social engineering education.
  • A highly effective security awareness training strategy can help accelerate results.
  • In addition to regular training, organizations should have a clear mandate for training, show alignment with other security policies, maintain an active connection to their overall security culture and the human layer of security, and demonstrate full executive support and participation.

Why You Should Hire a Pro for Security Awareness Training 

Careless clicking is a habit, and habits can be difficult to break. Security awareness training can be frustrating, especially after multiple warnings and examples don’t yield quick results. But boosting awareness isn’t enough. Employees need to buy into cybersecurity best practices. A positive learning experience is the best way to gain that buy-in and drive lasting change.

An organization that specializes in providing this training can also cater to different learning styles and provide a more engaging experience. That sounds well and good, but there’s impressive data suggesting that making the learning experience more engaging goes a long way towards achieving impressive results on a predictable timeline.

KnowBe4’s data demonstrates that its security awareness training is better at reducing vulnerabilities than other training programs, which is why all of us at Marco are proud to partner with KnowBe4 to offer this solution to our clients.  

Cybercrime isn’t going away any time soon. The risk of getting caught is very low, and the profits remain high. And while the human layer is typically an organization’s weakest line of defense,  with proper training, your staff could be one of your greatest cybersecurity assets.

In Addition to Phishing Training, How Can You Protect Your Organization? 

One tool, no matter how sophisticated it is, will never be enough to protect your organization from ever-evolving cyber threats. Furthermore, what was considered a sufficient defense years ago has also evolved. 

If you haven’t had a professional evaluation of your organization’s cybersecurity posture in the past few years, a cybersecurity assessment is the best way to understand what your organization is already doing well, and where there may be areas of vulnerability.

Learn more about a Cybersecurity Assessment Get Started Today

Topics: Security