Knowbe4's annual Phishing Benchmarking Report finds that untrained users are the biggest flaw in Australia and New Zealand's cyber defence layer.

KnowBe4, the provider of the world's most significant security awareness training and simulated phishing platform, released the 2023 Phishing by Industry Benchmarking Report for Australia and New Zealand.

The report measures an organisation's Phish-prone Percentage (PPP), which indicates how many of their employees are likely to fall for phishing or a social engineering scam.

This year's report reveals that according to the baseline testing conducted, without security training, across all industries, 34.8% of employees in Australia and New Zealand are likely to click on a suspicious link or comply with a fraudulent request. 

Although this is a slight increase from last year's 34.5% PPP for the APAC region, it demonstrates the risk associated with a lack of security culture. 

KnowBe4 analysed a data set of over 12.5 million users, across 35,681 organisations, with over 32.1 million simulated phishing security tests, across 19 industries and seven geographic regions. 

The resulting baseline PPP measures the percentage of employees in organisations without KnowBe4 security training who clicked a simulated phishing email link or opened an infected attachment during testing. 

When companies implemented a combination of training and simulated phishing security testing after their initial baseline measurement, the results changed dramatically. 

Ninety days after completing monthly or more frequent security training, the average PPP in Australia and New Zealand decreased to 17.8%. 

After twelve months of security training and simulated phishing security tests, the average PPP dropped to 6.4%, indicating that new habits have become routine, fostering a more robust human firewall and improved security culture. 

The report also reveals which industries are most vulnerable to cyber threats and have the highest PPP, indicating a more vital need for security awareness training. 

Across small and medium organisations, the healthcare and pharmaceuticals industry has the highest PPP of 32.3% and 35.8%. Across large organisations, the insurance industry remains the most at risk for a second consecutive year with a PPP of 53.2%, relatively unchanged from 2022. 

KnowBe4 highlights that while technology is vital in preventing and recovering from an attack, organisations cannot ignore the human factor. 

Verizon's 2023 Data Breach Investigations report states that 74% of breaches this year involved the human element. This is a slight improvement from last year's 82%.

However, KnowBe4 says organisations must continue focusing on the human element of cyber attacks by implementing proven training methods that directly impact their workforce. 

Jacqueline Jayne, Security Awareness Advocate APAC at KnowBe4, says: "The findings from KnowBe4's Phishing by Industry Benchmark report are a testament to the effectiveness of new-school security awareness training and simulated phishing."

"An educated workforce forms a strong human firewall, which is key to practicing safe cyber habits and building a strong security culture."