KnowBe4’s Phishing by Industry Benchmarking Report 2025 has found that effective security awareness training (SAT) can reduce global phishing click rates by up to 86% within 12 months. The report, which analysed 67.7 million phishing simulations across 14.5 million users from 62,400 organisations, reveals a strong link between structured training and reduced employee susceptibility to phishing attacks.
At the start of training, the average global Phish-prone Percentage (PPP) stood at 33.1%. This figure represents the proportion of users likely to fall for phishing or social engineering attacks before undergoing SAT. Within just three months of training, the global PPP dropped by 40%. After 12 months of continuous training, it declined further to 4.1%, marking an overall improvement of 86%.
According to KnowBe4, the sharp decline highlights the effectiveness of ongoing SAT in building a resilient security culture and reducing human risk. The report also shows measurable behavioural changes as early as three months into the programme.
The 2025 data shows that certain sectors remain more vulnerable than others. The Healthcare and Pharmaceuticals industry reported the highest baseline PPP at 41.9%, followed by Insurance at 39.2% and Retail and Wholesale at 36.5%. These figures indicate a higher initial risk before SAT is introduced.
Larger organisations are also more exposed. Companies with over 10,000 employees had an average baseline PPP of 40.5%. In contrast, smaller firms with 1 to 250 employees had a significantly lower average of 24.6%.
Notably, organisations in the 1,000 to 9,999 employee range reported some of the highest improvements. Sectors like Healthcare and Pharmaceuticals, Hospitality and Legal showed a 91% reduction in PPP after 12 months of training.
Region-wise, the highest initial click rates were recorded in South America (39.1%), North America (37.1%) and Australia and New Zealand (36.8%). These figures underline regional gaps in initial security awareness levels before any training is delivered.
Stu Sjouwerman, CEO of KnowBe4, said, “The data speaks for itself. Security awareness training makes a measurable difference. While we saw consistent patterns from 2024 to 2025, there was a 3.5% improvement in the global baseline PPP this year. That shows a positive trend in security awareness globally. But there is still a long way to go. Organisations must continue to prioritise relevant and engaging training along with simulated phishing exercises to strengthen their human risk management strategies.”
The report clearly shows that consistent investment in security awareness programmes is essential. It not only reduces vulnerability but also helps build long-term behavioural resilience against cyber threats.
iConnect is a proud KnowBe4 partner in the UAE and was honoured as the Best KnowBe4 Partner in the UAE for 2025. We specialise in delivering comprehensive security awareness training programmes that help organisations strengthen their human risk management and reduce phishing threats. To learn how iConnect can help your organisation build a stronger security culture and defend against cyberattacks, contact us today for a consultation.
