Tampa Bay, Fla. cybersecurity firm KnowBe4's phishing benchmark study of six million users revealed insurance, manufacturing, technology and not for profits led all other industries in falling for baseline tests.
All four showed a rate of about 30% and higher. Financial services, though not as high, showed 26.29% susceptibility to those same tests.
The study, drawn from a data set of more than six million users across nearly 11,000 organizations, anonymously tracked users by company size and industry at three points: a baseline phishing security test; results after 90 days of combined CBT and simulated phishing; and results after one year of combined CBT and phishing.
The phish-prone percentage was determined by the number of employees that click a simulated phishing email link or open an infected attachment during a testing campaign using the KnowBe4 platform.
Results revealed a radical drop of careless clicking to just 13% 90 days after initial training and simulated phishing; and a steeper drop to 2% after 12 months of combined phishing and computer based training.
Not-for-profit organizations led among large organizations (1,000 or more employees). The study showed these types of organizations rank higher (in the low thirty percentiles) than the overall average of 27% across all industries and size of organizations. Large business services organizations had the lowest phish-prone benchmark at 19%.
"In the past seven years, we've helped thousands of customers enable their employees to make smarter security decisions. Since we've reached the milestone of 15,000 customers, we've built a massive database to analyze and decided it was time to conduct a new analysis of average phish-prone percentages," Stu Sjouwerman, CEO of KnowBe4, said. "The new research uncovered some surprising and troubling results. However, it also demonstrates the power of deploying new-school security awareness training by lowering a 27% phish-prone result to just over two percent."
According to Sjouwerman, "Ninety-eight percent of cyber-attacks rely on social engineering and email phishing is the bad guys' preferred method. Attackers go for the low-hanging fruit: humans. Humans are the de-facto No. 1 choice for cybercriminals seeking to gain access into an organization. New-school security awareness training which includes frequent simulated social engineering testing is a proven method to dramatically slash an organization's Phish-prone percentage. Effectively managing this problem requires commitment and C-level buy-in, but it can be done and isn't difficult."
Overall rankings by industry for initial phish-prone percentage include:
- Insurance, 32.66%
- Manufacturing, 30.99%
- Technology, 30.09%
- Not for Profit, 29.85%
- Retail & Wholesale, 28.14%
- Energy & Utilities, 27.89%
- Healthcare & Pharma, 27.75%
- Other, 27.39%
- Education, 27.16%
- Business Services, 26.74%
- Financial Services, 26.29%
- Government, 25.09%
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
