It’s no secret that cybercrime is a lucrative business; Cybersecurity Ventures reports that it’s estimated to cost the world $6 trillion in damages by 2021. What’s more, ransomware alone is a multi-billion-dollar business. According to Verizon’s 2019 Data Breach Investigation Report, phishing is the number one threat used in successful breaches.
Cybercriminals prey on organizations using tricky phishing and social engineering tactics (mostly via email), and they rely on an employee’s naivete for success. An employee’s susceptibility to these attacks is referred to as their phish-prone percentage (PPP).
Baseline phish-prone percentage by industry
In an effort to understand the depth of vulnerability, KnowBe4 conducted research using a baseline phishing test for organizations varying in size and across multiple industries. Below are the results they found, sorted by industry and size:
| Industry | 1-249 employees | 250-999 employees | 1000+ employees |
| Banking | 29.3 | 31.3 | 25.7 |
| Business Services | 34.5 | 31.7 | 27.9 |
| Construction | 37.9 | 37.1 | 36.7 |
| Consulting | 29.2 | 31.9 | 24.2 |
| Consumer services | 26.3 | 33.3 | 23 |
| Education | 33.6 | 31.4 | 28.2 |
| Energy & Utilities | 34.8 | 32 | 34.4 |
| Financial Services | 31.1 | 31.7 | 29.1 |
| Government | 34.7 | 29.8 | 23.5 |
| Healthcare & Pharmaceuticals | 33.1 | 32.9 | 27.6 |
| Hospitality | 34 | 23.6 | 48.4 |
| Insurance | 36.4 | 34.9 | 31.2 |
| Legal | 32.2 | 29.6 | 32.7 |
| Manufacturing | 36.1 | 34.1 | 30.9 |
| Not-For-Profit | 35.4 | 32.3 | 30.1 |
| Other | 31 | 29.2 | 22.4 |
| Retail & Wholesale | 36.7 | 32.9 | 26.4 |
| Technology | 34.3 | 31.3 | 31.4 |
| Transportation | 33.5 | 33.7 | 16.4 |
Overall, KnowBe4 found that the initial baseline PPP average across all industries and sizes was an overwhelming 30%. This means that one in every three employees was susceptible to a phishing attack that could potentially shut down operations at an organization and cost thousands of dollars to recover.
Computer-based training (CBT) impact on phish-prone percentage (PPP)
After the baseline testing was completed, KnowBe4 took the
same sample of organizations and enrolled
the employees in computer-based training (CBT) for 90 days.
The results proved to be astounding:
| Industry | 1-249 employees | 250-999 employees | 1000+ employees |
| Banking | 9.7 | 12 | 16.4 |
| Business Services | 15.9 | 13.3 | 21.3 |
| Construction | 16.8 | 19.7 | 15 |
| Consulting | 13 | 13.7 | 4.1 |
| Consumer services | 16.1 | 16.5 | 15.4 |
| Education | 18.6 | 20.9 | 19.3 |
| Energy & Utilities | 13.9 | 16 | 13 |
| Financial Services | 12.6 | 13.2 | 16.4 |
| Government | 14.5 | 14.9 | 10.8 |
| Healthcare & Pharmaceuticals | 17.8 | 14.8 | 19 |
| Hospitality | 26.5 | 14.3 | 0* |
| Insurance | 15.5 | 16 | 15.3 |
| Legal | 15.6 | 11.4 | 3.8 |
| Manufacturing | 16.5 | 15.9 | 14.6 |
| Not-For-Profit | 16.3 | 16.5 | 16.4 |
| Other | 16.3 | 19.7 | 13.7 |
| Retail & Wholesale | 15.6 | 13.3 | 15.8 |
| Technology | 16.9 | 16.9 | 17.2 |
| Transportation | 12.1 | 19.6 | 15.8 |
(*data set too low)
KnowBe4 found that with just 90 days of CBT, organizations (on average) were able to cut their PPP in half.
Security awareness training with great ROI
The results of the KnowBe4 Phishing Industry Benchmarking report clearly demonstrate the benefits of investing in a more modern security awareness training platform, with the 12-month results showing an impressive 92% average improvement rate for various organization sizes across industries.
Want to see how your organization stacks up with your industry?
If you'd like to see how your organization stacks up against your industry's average PPP score, reach out today and schedule your baseline phishing test!
About the Author
