KnowBe4 has launched its Phishing by Industry Benchmarking Report 2025, which measures an organisation’s Phish-pron percentage, the percentage of employees likely to fall for social engineering or phishing attacks, indicating the organisation’s overall susceptibility to phishing threats.
This year’s report found a baseline Phish-pron percentage of 36.8% in Australia and New Zealand, which is higher than both the global average (33.1%) and European standards (32.5%).
KnowBe4 analysed 67.7 million phishing simulations across 14.5 million users from 62,400 organisations worldwide. The baseline Phish-pron percentage (36.8% for Australia and New Zealand) reflects an organisation’s susceptibility to phishing before any KnowBe4 training.
Employees then undergo KnowBe4’s security awareness training, and the Phish-pron percentage is recalculated after 90 days and again after one year-plus of ongoing training to quantify the program’s effectiveness.
The findings from the KnowBe4 report for Australia and New Zealand underline the transformative power of sustained security awareness training in a region initially characterised by high phishing susceptibility.
Initially, Australia and New Zealand exhibited a concerning baseline Phish-pron percentage of 36.8%, the third highest globally, which highlighted a critical need for enhanced cybersecurity measures.
Within the first 90 days of implementing training programs, the Phish-pron percentage dropped to 19.9% and after a full year of ongoing training, organisations achieved an impressive reduction to 4.9%, reinforcing the importance of continued focus on security awareness training.
These improvements align closely with global trends, demonstrating the effectiveness of tailored SAT programs in strengthening organisational defences against phishing threats.
Other key takeaways from the report include:
- Organisations with 1,000 plus employees based in Australia and New Zealand were the most phish prone globally, with 44.6% clicking on simulated phishing hyperlinks.
- After just 90 days of security awareness training, most sectors observed substantial reductions in their Phish-pron percentage, with large companies showing the most dramatic improvements over time.
- Critical infrastructure sectors in Australia and New Zealand face increasingly sophisticated cyberattacks, which prompted legislative action and increased government support for cybersecurity awareness.
- International collaboration, particularly through the Five Eyes alliance, and investments in building a skilled cybersecurity workforce are crucial strategies adopted by both countries to address evolving cyber threats and build long-term resilience.
“Our report shows that large Australia and New Zealand organisations began with the highest phishing vulnerability globally at 44.6% yet achieved a remarkable reduction to just 4.7% after ongoing training,” said Erich Kron, security awareness advocate at KnowBe4.
“The most significant shift we are seeing is the growing recognition by the Australian government of the critical role that community-level education plays in building a resilient cyber ecosystem, evidenced by their AUD7 million investment across 200 recipients. While progress is being made, it is clear from the data in the report that sustained security training is essential to drive long-lasting change.”
You can download a copy of the report here.
