Within the limits of one worldwide quantitative study, statistically-significant improvements were noted for both Asia and worldwide participants

In analyzing a 2023 data set covering over 54m simulated phishing tests across more than 11.9m of its users from 55,675 organizations* in 19 different industries, a cybersecurity firm has released findings of its data.

First, without security training, across all industries analyzed, 28.4% employees in Asia (compared to 30% in a previous year’s analysis) were likely to click on a suspicious link or comply with a fraudulent request: 5.9% below the global average of 34.3%.

Second, after consistent training and testing, employees in Asia were less prone to phishing by 11.4% (worldwide average: 18.9% — Asia results were 7.5% better) within the first 90 days, and by a further 5.5% (worldwide average 4.6% — a 0.9% difference) after a year of continuous training and testing. Final tally for both 90-day and 12mth lapse times: Asia 16.9%, worldwide 23.5% — a difference of 6.6%.

Other trends extrapolated from the analysis include:

  • Cyberattacks targeting sensitive data in both public and private sectors had increased in frequency, complexity, and severity in the data for the Asia Pacific region (APAC).
  • The most common attack strategies encountered in the data in APAC were malware, ransomware, and social engineering attacks.
  • While employees in the data were increasingly recognizing their responsibility to be phishing-aware, this varied widely based on organizational culture and training intensity, linguistic and cultural diversity, pointing to a need to tailor cybersecurity education to those factors.
  • In the data for APAC, AI was viewed as an emerging threat vector due to rapid adoption in certain industries that did not also implement stronger cybersecurity measures aligned with the additional cyber risks.

According to Dr Martin Kraemer, Security Awareness Advocate, KnowBe4, the firm that performed the analysis: “Although technology is important for preventing and recovering from cyberattacks, human error is still a big contributing factor to data breaches.”

*All organizations were categorized by industry type and size. Each organization’s phish-prone percentage (PPP) was calculated by measuring the percentage of employees (those with no prior phishing awareness training) who had clicked on a simulated phishing link or opened a simulated malware attachment during repeated testing campaigns (Note: participants knew they were being periodically tested, and that they may suffer repercussions for repeated failures, according to the test mechanics in the KnowBe4 website)