The Hard Evidence That Phishing Training and Testing Really Works Great

Security awareness training (SAT) and simulated phishing works to significantly reduce cybersecurity risk. We have the data, customer testimonials and government recommendations to prove it.

Social engineering, especially as enabled by email, text messages, the web and phone calls, is involved in the vast majority of cybersecurity attacks. No other root initial access hacking method comes close.

Cybersecurity experts state that social engineering is involved in 60% to over 90% of all successful data breaches.

For example, Barracuda Networks reported that spear phishing accounted for 66% of all successful compromises. Seventy-nine percent of all successful credential thefts came through phishing. Avast recently stated that 90% of all cyberattacks involve social engineering. Reports may differ over the exact percentage, but they all agree that social engineering is the number one threat.

And if you do not aggressively try to mitigate social engineering using your best defense-in-depth combination of policies, technical defenses and education, you or your organization are more likely to become a part of those statistics.

It is important to note that social engineering is the number one threat only after it has already gotten past every existing policy and technical defense. Some estimates state that as many as one in every seven malicious emails make it past content filters.

Until the--unlikely--event where we get proven technical defenses that work to prevent all social engineering, we will need continuous education to help users to spot and report social engineering attacks. Note this U.S. Government FedRAMP recommendation: "Users are the last line of defense and should be tested." We recommend frequent training (at least monthly) and frequent simulated phishing campaigns (weekly if possible, because you can gamify it and get great results that way.)

Security Awareness Training Analysis Whitepaper

KnowBe4 has the data from over 60,000 customer organizations worldwide who use our platform as recommended. They were able significantly reduce the likelihood that a user will click on a phishing attack and the more frequently the training and simulated phishing occurs, the better.

The numbers tell the story

We analyzed over 10 years of records from those 60K+ customers , comprising 32,604,108 separate individual users, who took a total of 493,871,295 Phishing Security Tests (PSTs) and participated in awareness training at least once a year. We believe this is the largest analysis, in terms of both customers and test numbers, of any study of this kind.

We found these 5 main points:

1. Groups that did frequent PSTs performed better in detecting simulated phishing campaigns than groups that did not.
2. The more frequently that groups did PSTs, the better the users performed on simulated phishing tests. The more PSTs, the better.
3. Groups that did weekly PSTs were 2.74 times more effective in reducing risk than groups that only did less than quarterly PSTs.
4. The longer a group trained, the better they did on simulated phishing tests.
5. Groups that did both training and simulated phishing tests did the best.

Customer Testimonials

This is not just us saying training works. Our customers see the improvement in their own environments and support the effectiveness of SAT.

“I can spend any amount of money on firewalls, on filters, on anything like that…and none of that does me any good if my end users are clicking on phishing emails. So, I need to train them and help them to detect and not fall victim to phishing scams. I would give KnowBe4 a 10 out of 10 rating.”

 

"One of the first things I did when starting at my current company was to have a penetration test performed on the entire network. The results were pathetic. MFA was not being used; users had no idea of what a phishing message really is, how to spot one or what to do. The pen test revealed that our users were clicking on any and everything with no regard for safety. KnowBe4 changed that in 6 months."

 

“I've had the privilege of using the KnowBe4 Security Awareness Training platform for some time now, and I must say it's been a game-changer in the realm of cybersecurity education. As cyber threats continue to evolve and become more sophisticated, having an effective training solution like KnowBe4 has become imperative for individuals and organizations alike.”

 

“One of the best features of KnowBe4 is that its relevance in peoples' personal lives as well as the business environment is outstanding. The variety of topics including multifactor authentication and social media have received high praise from those who have gone through it, to the point where they can pass on the knowledge to their families and friends.”

 

“The Phish Alert Button, and PhishER, are also amazing tools that help us keep on top of cybersecurity. Our employees actively use the PAB and not just on their training emails. We are able to keep a better eye on potential threats, and keep our employees diligent when dealing with these threats.”

 

“Updated content ensures that the campaigns I create remain relevant to the uprising of different security threats.”

Creating Your Security Awareness Training Policy

Doing cybersecurity training once a year to meet a compliance requirement does not work. We recommend a longer SAT training session when employees are hired (say 15-30 minutes), and a similar longer session once a year thereafter. Then, SAT training should be at least monthly, although shorter in duration (say three to five minutes). 

Simulated phishing campaigns should be conducted at least once a month. However we found that organizations that conduct phishing tests weekly had been able to drive down their social engineering risk score the lowest. Recipients “failing” a simulated phishing test should be given more training.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) Advisory recommends “continuous training". The recent introduction of an integrated Phish Alert Button in Microsoft Outlook makes things easier and leads to better threat detection and prevention. 

2024 Phishing by Industry Benchmarking Report

We continue to see the proven success of security awareness training and simulated phishing in 2024. Our most recent Phishing by Industry Benchmarking study, involving over 54.1M simulated phishing tests, 55,700 separate organizations, with over 11.9M users revealed the following three key facts:

1. Around a third of users (34.3%) are susceptible to simulated phishing tests when first joining KnowBe4’s platform.
2. Ninety (90) days later, the “Phish-prone Percentage TM” is down to 18.9%.
3. A year later or more, the Phish-prone Percentage is down to 4.6%.

This is an 86% improvement. No other cybersecurity risk reduction technique works as well as fast. Get your report here and compare yourself to your peers. 

Fantastic ROI

And it goes without saying that deploying KnowBe4 has fantastic ROI. The combination of SAT with PhishER Plus, combined with Compliance Training, all using the same platform has incredible returns. Forrester showed a three-year ROI of 276% with payback in less than 3 months. Get your copy of the study here. 

You, of course, should not do SAT and simulated phishing in a way that makes your co-workers upset or disgruntled. If you are creating unhappy campers because of SAT and simulated phishing tests, you are doing it wrong. Use your SAT program to reduce cybersecurity risk and to create a culture of healthy skepticism when your users get sent a suspicious-looking messages.

If you are interested in creating a professional corporate SAT policy, we have a guide for that. It discusses the sections that a corporate SAT program policy document should contain followed by an example of a corporate program SAT policy.

To reiterate, security awareness training works! We have the data, the customer testimonials, and government cybersecurity organizations on our side. Let's create a stronger security culture and keep our networks safe!