The Human Factor: Unveiling Africa’s Vulnerability to Phishing Attacks
Unveiling Africa’s vulnerability to phishing and cyber threats. KnowBe4’s 2023 report highlights the power of security training. Discover key findings and the importance of a strong security culture as recapped by A3Techworld.
In Africa, over one-third of corporate employees find themselves susceptible to phishing attacks and social engineering scams. However, there’s a glimmer of hope – regular security training can drastically decrease their chances of falling prey to such cyber threats. This insight comes from KnowBe4’s 2023 Phishing by Industry Benchmarking Report for Africa, which assessed organizations’ Phish-prone Percentage (PPP) to gauge their vulnerability to phishing and social engineering scams.
This article delves into the report’s key findings and highlights the importance of consistent cybersecurity awareness training in fortifying Africa’s defences against cybercrimes.
- 71% of the respondents from eight African countries use their mobile data to access the Internet, while 63% use their mobile phones for mobile banking and payments.
- 68% of the respondents were concerned about cybercrime, however, many lacked some very basic understanding of what type of threats they are exposed to.
- 57% of respondents did not know what a ransomware attack is. 21% have experienced a social engineering attack over the phone (vishing) and 32% have lost money because they fell victim to a scam
- 36% said they had fallen victim to a crypto scam, and 57% knew people who had been victims of such scams
Table of Contents
Understanding the Benchmarking Report
The 2023 Phishing by Industry Benchmarking Report compiled data from over 12.5 million users across 35,681 organizations in 19 industries. It included the results of more than 32.1 million simulated phishing security tests, encompassing data from North America, The United Kingdom and Ireland, Europe, Africa, South America, Asia, Australia, and New Zealand.
Baseline Vulnerability in Africa
The report focused on phishing simulation tests conducted in four African countries: South Africa, Kenya, Nigeria, and Botswana. A total of 412 organizations participated, with 337,937 emails sent. The majority of organizations (58%) were small-sized (1-249 employees), followed by medium-sized (26%, 250-999 employees), and large-sized (16%, 1000+ employees) enterprises.
The baseline PPP, representing the percentage of employees who hadn’t received KnowBe4 security training and fell for a simulated phishing email or opened an infected attachment during testing, was relatively lower in Africa compared to other regions. However, after 90 days of training, the improvement in Africa was less significant than in other regions. Nevertheless, after a year of continuous training, African users achieved an impressive 79.8% improvement in their PPP, showcasing the efficacy of persistent security awareness education.
The Human Factor in Data Breaches
“The report underscores the fact that while technology plays an important role in preventing and recovering from an attack, organizations cannot afford to ignore the human factor,” says Anna Collard, Senior Vice President of Content Strategy & Evangelist for KnowBe4 Africa. “The root cause of most data breaches can be traced to the human factor.”
Global Comparison and Progress in Africa
Globally, without security training, approximately 33.2% of employees across all regions and industries are likely to fall for phishing attacks or fraudulent requests. Africa’s average was slightly better at 32.8%, with South America having the highest rate of 41.1% and Asia boasting the lowest at 30%.
After 90 days of training, Africa’s average PPP stood at 20.5%, higher than the global average of 18.5%. After a year of continuous training, Africa’s PPP impressively reduced to 6.6%, compared to the global average of 5.4%. These numbers suggest that consistent training helps establish improved security habits, fostering a stronger security culture.
Vulnerability Across Enterprise Sizes
Initially, Africa’s medium-sized enterprises had the lowest PPP at 29.4%, while small enterprises stood at 30% and surprisingly, large enterprises at 33.3%. However, after training, large enterprises displayed the best performance, achieving a PPP average of 19% after 90 days and 5.7% after a year. Medium-sized enterprises improved to 22.7% after 90 days and 10.5% after a year, while small enterprises’ PPP improved to 25.2% after 90 days and 9% after a year.
Identifying Vulnerable Industries
The report highlighted industries most vulnerable to cyber threats and possessing the highest PPP, signifying a greater need for security awareness training. Globally, healthcare and pharmaceutical industries topped the list for small and medium organizations, with PPPs of 32.3% and 35.8%, respectively. In large organizations, the insurance industry remained the most at risk, boasting a global PPP of 53.2% for the second consecutive year. Across sectors, consistent training for a year or more led to an impressive 82% average PPP improvement.
Conclusion: Fortifying Africa’s Defenses
The findings underscore the significance of ongoing, consistent cybersecurity awareness training and testing to mitigate substantial risks. A one-time training session or mere warnings to users fall short. Cybersecurity must be ingrained into a company’s culture, creating a robust defence against evolving cyber threats. Organizations in Africa can empower their employees with knowledge and vigilance, making it harder for cybercriminals to exploit the human factor in their attacks. By prioritizing security awareness, Africa can rise as a resilient and vigilant contender against cybercrimes in the years to come.
