Annual phishing benchmarking report

Cybersecurity training is effective


KnowBe4 releases the results of the 2024 Phishing Benchmarking Report. This allows companies to measure their Phish-prone Percentage (PPP), which indicates how many of their employees are likely to fall for phishing or social engineering scams.

This year’s report shows that European workers without security awareness training have a slightly better PPP value of 32.6 percent compared to the global average of 34.3 percent. This suggests that European workers are somewhat less likely to click on malicious links or comply with fraudulent requests.


KnowBe4 analyzed 54 million simulated phishing tests involving nearly 12 million users from 55,675 organizations across 19 different industries. This established a PPP baseline indicating click rates on phishing tests for employees without KnowBe4 security awareness training. European organizations that conducted regular security awareness training and simulated phishing tests after the initial baseline test saw an average reduction in PPP to 20.3 percent within 90 days. After 12 months of continuous training and testing, the PPP further decreased to 5.5 percent.

The long-term results are impressive, but they are still slightly above the global average of 18.9 percent after 90 days and 4.6 percent after a year of consistent training and testing. This shows that organizations in Europe need to further intensify their efforts to reduce human risk in cybersecurity. The drastic reduction in the number of security breaches after both three and twelve months proves that improving security culture is effective. It requires changing existing habits and promoting new secure behaviors. When employees internalize new behaviors, these become habits and evolve into standard practices that shape the organizational culture and create a workforce that instinctively prioritizes security. The key findings of the report are:

  • Europe’s small and medium-sized enterprises are most frequently phished.
  • Public administration is the most frequently attacked sector, followed by individuals and healthcare.
  • Ransomware is and remains one of the most common cyber threats transmitted through phishing.
  • The economic impact of cyberattacks is enormous.
  • There is a noticeable increase in information manipulation.
  • Only 32 to 35 percent of European organizations assess their cyber risks more than once a year.
  • The growing threat of misinformation and disinformation to organizations, amplified by advances in AI.
  • The increasing sophistication in the formulation of phishing and spear-phishing, driven by AI tools. “In Europe, there is a growing understanding and recognition that all employees must be involved in a company’s cyber defense, regardless of the size of the company,” says Dr. Martin J. Krämer, Security Awareness Advocate at KnowBe4. “Although views on cybersecurity have shifted from a more compliance-based task to a strategic priority, this change is happening slowly. This needs to change. Companies must emphasize the importance of continuous security awareness to build a strong security culture. This, along with technology, is essential for combating cyber threats.”

(pd/ KnowBe4)

Weitere Artikel