MainSpring Blog

Tackling Cybercrime with Computer-based Training

Written by Jeremy Kaikko | August 20, 2019 at 1:26 PM

It’s no secret that cybercrime is a lucrative business; Cybersecurity Ventures reports that it’s estimated to cost the world $6 trillion in damages by 2021. What’s more, ransomware alone is a multi-billion-dollar business. According to Verizon’s 2019 Data Breach Investigation Report, phishing is the number one threat used in successful breaches.



Cybercriminals prey on organizations using tricky phishing and social engineering tactics (mostly via email), and they rely on an employee’s naivete for success. An employee’s susceptibility to these attacks is referred to as their phish-prone percentage (PPP).

Baseline phish-prone percentage by industry

In an effort to understand the depth of vulnerability, KnowBe4 conducted research using a baseline phishing test for organizations varying in size and across multiple industries. Below are the results they found, sorted by industry and size:

Industry 1-249 employees 250-999 employees 1000+ employees
Banking 29.3 31.3 25.7
Business Services 34.5 31.7 27.9
Construction 37.9 37.1 36.7
Consulting 29.2 31.9 24.2
Consumer services 26.3 33.3 23
Education 33.6 31.4 28.2
Energy & Utilities 34.8 32 34.4
Financial Services 31.1 31.7 29.1
Government 34.7 29.8 23.5
Healthcare & Pharmaceuticals 33.1 32.9 27.6
Hospitality 34 23.6 48.4
Insurance 36.4 34.9 31.2
Legal 32.2 29.6 32.7
Manufacturing 36.1 34.1 30.9
Not-For-Profit 35.4 32.3 30.1
Other 31 29.2 22.4
Retail & Wholesale 36.7 32.9 26.4
Technology 34.3 31.3 31.4
Transportation 33.5 33.7 16.4

Overall, KnowBe4 found that the initial baseline PPP average across all industries and sizes was an overwhelming 30%. This means that one in every three employees was susceptible to a phishing attack that could potentially shut down operations at an organization and cost thousands of dollars to recover.

Computer-based training (CBT) impact on phish-prone percentage (PPP)

After the baseline testing was completed, KnowBe4 took the
same sample of organizations and enrolled
the employees in computer-based training (CBT)
for 90 days.

The results proved to be astounding:

Industry 1-249 employees 250-999 employees 1000+ employees
Banking 9.7 12 16.4
Business Services 15.9 13.3 21.3
Construction 16.8 19.7 15
Consulting 13 13.7 4.1
Consumer services 16.1 16.5 15.4
Education 18.6 20.9 19.3
Energy & Utilities 13.9 16 13
Financial Services 12.6 13.2 16.4
Government 14.5 14.9 10.8
Healthcare & Pharmaceuticals 17.8 14.8 19
Hospitality 26.5 14.3 0*
Insurance 15.5 16 15.3
Legal 15.6 11.4 3.8
Manufacturing 16.5 15.9 14.6
Not-For-Profit 16.3 16.5 16.4
Other 16.3 19.7 13.7
Retail & Wholesale 15.6 13.3 15.8
Technology 16.9 16.9 17.2
Transportation 12.1 19.6 15.8

(*data set too low)

KnowBe4 found that with just 90 days of CBT, organizations (on average) were able to cut their PPP in half.

Security awareness training with great ROI

The results of the KnowBe4 Phishing Industry Benchmarking report clearly demonstrate the benefits of investing in a more modern security awareness training platform, with the 12-month results showing an impressive 92% average improvement rate for various organization sizes across industries.

Want to see how your organization stacks up with your industry?

If you'd like to see how your organization stacks up against your industry's average PPP score, reach out today and schedule your baseline phishing test!