The KnowBe4 report “Phishing by Industry Benchmarking Report 2025.” - US market - reveals that comprehensive security awareness training (SAT) significantly reduces the likelihood of employees falling victim to phishing attacks. The report indicates a dramatic drop in the global Phish-prone Percentage (PPP) to just 4.1% after 12 months of effective training.
The study analysed 67.7 million phishing simulations across 14.5 million users from 62,400 organisations, establishing a baseline PPP of 33.1%. This figure indicates that one-third of employees interacted with phishing simulations prior to receiving training. The data highlights the profound impact of ongoing SAT on mitigating risks associated with phishing threats.
Following the implementation of training, the global PPP decreased by 40% within just three months, and by an impressive 86% after one year.
These results underscore the effectiveness of continuous education in fostering a stronger security culture within organisations, demonstrating that even short-term training can lead to significant behavioural changes.
Key findings
- At-Risk Industries: The report identified Healthcare & Pharmaceuticals as the most vulnerable sector, with a baseline PPP of 41.9%, followed closely by Insurance at 39.2% and Retail & Wholesale at 36.5%.
- Organisational Size and Risk: Larger organisations, particularly those with over 10,000 employees, exhibited a higher initial phishing risk, with a PPP of 40.5%. In contrast, smaller organisations with 1-250 employees had a significantly lower PPP of 24.6%.
- Improvement Rates: Among organisations with 1,000-9,999 employees, sectors like Healthcare & Pharmaceuticals, Hospitality, and Legal achieved remarkable PPP improvement rates of 91% following 12 months of ongoing training.
- Regional Variations: The highest baseline PPPs were recorded in South America (39.1%), North America (37.1%), and Australia and New Zealand (36.8%).
“The data speaks for itself — security awareness training truly makes a difference,” said Stu Sjouwerman, CEO of KnowBe4. He noted a slight improvement in 2025, with the global baseline PPP decreasing by 3.5% compared to the previous year.
This indicates a positive shift in security awareness worldwide, yet there remains significant progress to be made in fully addressing phishing risks.
By prioritising engaging and relevant training, combined with simulated phishing exercises, organisations can strengthen their human risk management strategies and enhance their overall security culture. The findings highlight the essential role of continuous education in combating the ever-evolving threat landscape of phishing attacks.