Guess what? Over the past several months, the KnowBe4 elves have been working around the clock analyzing billions of rows of data to uncover meaningful insights. Their latest offering is the 2021 Phishing by Industry Benchmarking Report. The report analyzes Phish-Prone™ percentage (PPP) across millions of individual users pulled from anonymized KnowBe4 customer data. This marks the fourth year that we’ve conducted this study, and I’m always a bit awestruck by the results.
If you aren’t familiar with our Phishing by Industry Benchmarking Report, let me catch you up. The purpose of this report is to analyze and understand the impact of a new-school security awareness approach on an organization’s susceptibility to phishing or social engineering attacks. To do this, we analyze data from three phases:
- Phase One: If you haven’t trained your users and you send a phishing attack, what is the initial resulting PPP? To do this, we monitored employee susceptibility to an initial baseline simulated phishing security test. From that established set of users, we look at any time a user has failed a simulated phishing security test prior to having completed any training.
- Phase Two: What is the resulting PPP after users complete training and receive simulated phishing security tests within 90 days after training? We answered this question by finding when users completed their first training event and looking for all simulated phishing security events up to 90 days after that training was completed.
- Phase Three: What is the final resulting PPP after users take ongoing training and monthly simulated phishing tests? To answer this, we measured security awareness skills after 12 months or more of ongoing training and simulated phishing security tests, looked for users who completed training at least one year ago, and took the performance results on their very last phishing test.
This year’s inclusion dataset spanned 19 industries and comprised over 6.6 million users across 23,400 organizations with over 15.5 million simulated phishing security tests.
Here’s what we found:
For 2021, the overall PPP baseline average across all industries and size organizations was 31.4%, meaning just less than a third of an average company’s employee base could be at risk of clicking on a phishing email. However, only 16.1% of those same users will fail within 90 days of completing their first KnowBe4 training. After at least a year on the KnowBe4 platform only 4.8% of those users will fail a phishing test. Organizations improved their susceptibility to phishing attacks by an average of 84% in one year by following our recommended approach.
There is value in finding context:
I remember the days when I was a Gartner research analyst covering the security awareness space. For those of you who are unfamiliar with the analyst world, you might be surprised to find out that most of an analyst’s day is filled with back-to-back phone calls – a.k.a. “inquiry calls” – from clients. And the focus of those inquiry calls was generally providing answers to the age-old question: “what are other people doing to solve problem ______?” or “I’m currently doing _____ and seeing ______ results. How does that compare with what you are hearing from others?”
Clients engaged in phishing simulation training programs were no different. They’d set up their tests, get a metric related to the percentage of employees who clicked the link (or otherwise failed the test), and then ask that fateful question: “My Phish-Prone percentage is ______. How does that compare to other organizations who look like me?” This is driven by the innate human need to pattern-match, compare, and predict.
Three Things to Consider When Reviewing Any Metric:
Those who work with me will know that I always recite three phases of evaluating and reacting to any metric. Specifically, when presented with an evaluation, we need to address three questions:
- Look at the “what?” – The 'what' is the metric itself.
- Then you have to ask/answer the “so what?” – The 'so what' is the natural question that flows from the ‘what.’ It is the striving for context and meaning. What does the metric mean? How do we orient around it and interpret it?
- Then lastly, you need to get to the “now what?” – The 'now what' is all about determining your course of action based on the previous two questions and your goals.
The Phishing by Industry Benchmarking Report is great for helping you evaluate your organization’s Phish-Prone percentage (the “what?”) and to find context (the “so what?”). It gives you that extra bit of contextual data you need to know so you can gain an accurate understanding of how you compare to other organizations. That’s immensely valuable because it helps push you to that final “now what?” question… and that’s where things get really interesting.