New KnowBe4 Benchmarking Report Finds 37.9% of Untrained End Users Will Fail a Phishing Test

Whos-At-Risk-02The 2020 Phishing By Industry Benchmarking Report compiles results from the third annual study by KnowBe4 and reveals at-risk users across 19 industries that are susceptible to phishing or social engineering attacks. Taking it a step further, the research reveals radical drops in careless clicking after 90 days and 12 months of simulated phishing testing and security awareness training.

I remember the days when I was a Gartner research analyst covering the security awareness space. For those of you who are unfamiliar with the analyst world, you might be surprised to find out that most of an analyst’s day is filled with back-to-back phone calls – a.k.a. “inquiry calls” – from clients. And the focus of those inquiry calls was generally providing answers to the age old question: “what are other people doing to solve problem ______?” or “I’m currently doing _____ and seeing ______ results. How does that compare with what you are hearing from others?”

Clients engaged in phishing simulation training programs were no different. They’d setup their tests, get a metric related to the percentage of employees who clicked the link (or otherwise failed the test), and then ask that fateful question: “My Phish-prone percentage is ______. How does that compare to other organizations who look like me?” This is driven by the innate human need to pattern-match, compare, and predict. 

Three Things to Consider When Reviewing Any Metric:

Those who work with me will know that I always recite three phases of evaluating and reacting to any metric. Specifically, when presented with an evaluation, we need to address three questions:

  1. Look at the “what?” – The what is the metric itself. 
  2. Then you have to ask/answer the “so what?” – The so what is the natural question that flows from the ‘what.’ It is the striving for context and meaning. What does the metric mean? How do we orient around it and interpret it?
  3. Then lastly, you need to get to the “now what?” – The now what is all about determining your course of action based on the previous two questions and your goals.

If you are familiar with the OODA loop, you’ll likely start to draw some association:

  • Observe = the what
  • Orient = the so what
  • Decide = the now what
  • Act = Your plan and actions that flow from the now what.

KnowBe4’s New 2020 Phishing by Industry Benchmark Report to the Rescue

I’ve got exciting news for you. If you’ve been asking yourself these types of questions when you look at the results of your phishing tests, then you can now confidently answer these questions. We evaluated the results of over 9.5 million phishing tests sent to 4 million users in 17 thousand organizations. We segmented that data by industry type, size, and the length of time that they had been using phishing simulations as part of their awareness and training program. Oh yeah – and we also added some region-specific data and insights this year. You’re welcome!  ☺

Screen Shot 2020-03-24 at 11.48.08 AM

Needless to say, this is great data to have. And it helps you answer those critical questions that you, your team, and your board will be asking whenever you discuss phishing test results. 

Simulated Phishing Attacks

The results of the 2020 KnowBe4 Phishing by Industry Benchmarking Report clearly show where organizations’ Phish-ProneTM  percentages started and where they ended up after at least 12 months of regular testing and security awareness training. The study analyzed a data set that included nearly four million users across 17,000 KnowBe4 customers with over 9.5 million simulated phishing security tests across nineteen different industries.

The overall industry initial Phish-Prone percentage benchmark turned out to be a troubling 37.9%. Fortunately, the data showed that this 37.9% can be brought down by more than half to just 14.1% within 90 days of deploying new-school security awareness training. The One-Year results show that by following these best practices, the final Phish-Prone percentage can be minimized to 4.7% on average.

Now What?

Now what? I’m glad you asked. Your “now what” is to have a look at the report. You should also register for the webinar that Joanna Huisman and I are doing this week. We’ll be discussing the report in depth and teasing out some of the most interesting and relevant tidbits. Register here:

Download the Full Report Today! 

Download Report

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

New call-to-action

Get the latest about social engineering

Subscribe to CyberheistNews