Those who have undergone frequent, continual cybersecurity awareness testing and training are the most immune, of course…

In a cybersecurity firm’s analysis of a data set of over 9.5m users across 30,173 organizations involving around 23.4m simulated phishing security tests across 19 different industries—to discover how many employees are likely to fall for phishing or a social engineering scam—32.4% of all employees in the data that had not undergone some security training, were likely to click on a suspicious link or comply with a fraudulent request.

In some large category industries, such as Consulting, Energy & Utilities, and Healthcare & Pharmaceuticals, the percentage was over 50%.

The Asia Pacific region (APAC) showed a slightly higher tendency than the global average at 34.5% of untrained employees. Large organizations (those with more than 1,000 employees) with no prior staff security training showed a tendency of 36.7%, four percent higher than the global average in the data set.

When organizations in the data set implemented a combination of training and simulated phishing security testing (comprising monthly or more frequent security training), the tendency decreased to 17.6% after 90 days of completed training. After 12 months of training and simulated phishing security tests, the average PPP dropped to 5%, indicating that new habits had become normalized.

In the APAC region the tendency scores of small and medium sized organisations improved to 21.1% and 19.2% respectively. After one year of training, employees of small organizations showed the greatest gain, with the tendency dropping to 4.4%. For small- and medium- sized organizations, the tendency dropped to 21.1% and 19.2% respectively . After one year of training small organizations showed the greatest gain, with their PPP dropping to 4.4%.

Said Stu Sjouwerman, CEO, KnowBe4, the firm which conducted the analysis: “Given that most data breaches originate from social engineering, we cannot afford to omit the human element. Implementing security awareness training with simulated phishing testing will help to (improve protection of) organizations against cyberattacks and result in a more secure organizational culture.”