Security training cuts phishing risk by 86% globally in a year

A newly published report indicates that security awareness training reduces global phishing click rates by 86%.

The "Phishing by Industry Benchmarking Report 2025" compiled by KnowBe4 analysed 67.7 million phishing simulations involving 14.5 million users across 62,400 organisations worldwide.

The report found an average global baseline Phish-prone Percentage (PPP) of 33.1%. This metric refers to the proportion of employees interacting with phishing simulations before undergoing structured security awareness training (SAT).

According to the report, SAT significantly reduces susceptibility to phishing. The findings show that the global PPP drops by 40% after three months of education and by 86% following a full year of continued training.

The study highlights that ongoing and effective SAT not only decreases risk but also establishes a stronger security culture within organisations. Measurable improvements become evident as quickly as three months after training begins.

Stu Sjouwerman, Chief Executive Officer of KnowBe4, stated, "The data speaks for itself — security awareness training truly makes a difference. From 2024 to 2025, the general trend has remained fairly consistent — around one-third of employees click on a simulated phishing link before taking part in training."

"However, the data shows a slight improvement in 2025. Within a year, we've seen a 3.5% decrease in the global baseline PPP, highlighting a positive shift in overall security awareness worldwide. However, there is still significant progress to be made in fully addressing phishing risks. By consistently prioritising relevant and engaging training, combined with simulated phishing, organisations can strengthen their human risk management strategies and better protect against phishing to improve overall security culture." he added. 

The report examined risk differences by sector and organisation size. Healthcare and pharmaceuticals, Insurance, and Retail and wholesale emerged as the most at-risk industries, with baseline PPPS of 41.9%, 39.2%, and 36.5%, respectively. This indicates that employees in these sectors were most likely to engage with potential phishing threats prior to training.

Larger organisations faced a greater initial risk. Those with over 10,000 employees had an average baseline PPP of 40.5%. Organisations with between 1 and 250 staff had a lower average baseline of 24.6%. The data indicates that the scale of an organisation can correspond with a heightened vulnerability to phishing before remedial action is taken.

Among organisations with 1,000 to 9,999 employees, the Healthcare & Pharmaceuticals, Hospitality, and Legal sectors all achieved an improvement of 91% in PPP scores after 12 months of ongoing SAT, demonstrating the potential for marked risk reduction within a year of continuous education.

Regional variation was also apparent in the findings. The highest baseline PPPs were found in South America at 39.1%, North America at 37.1%, and Australia and New Zealand at 36.8%. These figures indicate regional disparities in initial vulnerability to phishing before introducing training regimes.

The report provides quantifiable evidence that sustained investment in SAT, including simulated phishing campaigns, can result in enduring changes to employee behaviour. The decline from a global baseline PPP of 33.1% to just 4.1% after 12 months underscores the tangible benefits of a measured and continued approach to cybersecurity education.