Which industries had the highest phishing risk in 2025?

According to KnowBe4’s 2025 report, the industries with the highest initial Phishing-Prone Percentages (PPP) were Hospitality (52.9%), Education (50.2%), Pharmaceuticals (48.2%), Healthcare & Medical (46.9%), and Energy & Utilities (45.8%).

Which industries had the lowest phishing risk in 2025?

The industries with the lowest initial PPPs were Technology (28.5%), Finance & Banking (29.8%), and Insurance (30.1%). These sectors typically have more advanced cybersecurity programs and stricter access controls.

How does company size impact phishing vulnerability?

Smaller organizations tend to be more vulnerable due to limited security resources. Mid-sized organizations (1,000–2,500 employees) had the highest phishing-prone rates, while large enterprises (10,000+ employees) showed lower PPPs thanks to stronger governance and layered defenses.

Does phishing awareness training really work?

Yes. Organizations that implemented consistent phishing simulations and awareness training reduced their average PPP from 34.3% to 17.2% after 90 days, and down to 4.6% after 12 months—an 86% reduction in phishing vulnerability.

What phishing tactics are most effective in 2025?

The most common phishing lures include IT alerts (e.g., password reset notices), delivery notifications, HR policy updates, and account security warnings. These rely on urgency and fear to trick employees into clicking.

How can organizations reduce phishing risk?

Organizations can reduce phishing risk by investing in ongoing security awareness training, running simulated phishing campaigns, benchmarking their PPP, layering technical defenses such as MFA and email filtering, and promoting a security-first culture.

What is automated penetration testing?

Automated penetration testing uses specialized tools to run regular, scalable security tests on networks, applications, and systems. Unlike manual testing, it allows organizations to identify vulnerabilities quickly, improve defenses, and meet compliance requirements without heavy resource demands.

Why is targeting specific network segments important in penetration testing?

Focusing penetration tests on high-risk or mission-critical network segments improves precision and reduces costs. This approach provides deeper insights into specific vulnerabilities, streamlines remediation, and helps organizations strengthen defenses where they matter most.

What types of automated penetration tests should organizations run?

Organizations should run external, internal, and hybrid penetration tests. External tests simulate attacks from outsiders, internal tests replicate insider or post-breach scenarios, and hybrid tests combine both to mimic real-world, multi-stage cyberattacks.

How can penetration test results be turned into actionable intelligence?

After each test, vulnerabilities should be prioritized by severity and exploitability. Results can guide patching, update access controls, and enhance employee training. Findings can also inform tabletop exercises and awareness programs, helping reduce human error risks.

How does automated penetration testing help with compliance?

Automated penetration testing supports frameworks like PCI DSS, HIPAA, NIST SP 800-53, and CMMC by ensuring consistent, audit-ready testing. It streamlines compliance reporting, validates security safeguards, and helps organizations stay ahead of evolving regulatory requirements.

How should automated penetration testing be integrated into security operations?

Integrating penetration test results with SIEM, threat intelligence, vulnerability management, and incident response workflows ensures faster remediation and improved threat detection. Linking outcomes with the risk register also helps leadership align security strategy with business priorities.

What are the benefits of automated penetration testing for long-term cyber defense?

Automated penetration testing provides continuous visibility into vulnerabilities, strengthens compliance posture, improves detection and response, and creates a culture of ongoing security improvement. It combines ethical hacking techniques with scalable automation for stronger, proactive defense.

Category:

Cybersecurity Solutions

Q: What is the Phishing-Prone Percentage (PPP)?

The Phishing-Prone Percentage (PPP) measures the percentage of users who clicked on a simulated phishing email during testing. It reflects how vulnerable employees are to phishing before any security awareness training.

Discover comprehensive cybersecurity solutions including threat detection, vulnerability management, AI-driven defense, and strategic implementation guides to fortify your organization’s defenses.

PCI DSS Penetration Testing

Understanding PCI 11.4.1

by RSI Security October 17, 2025October 17, 2025

written by RSI Security

Achieving PCI DSS compliance requires implementing and testing multiple security controls to protect cardholder data. One of the most demanding requirements, PCI DSS 11.4.1, calls for both internal and external penetration testing to proactively detect and mitigate emerging threats.
Is your organization ready to meet the latest PCI DSS 11.4.1 standards? Request a consultation today to ensure you’re fully compliant.

October 17, 2025October 17, 2025 0 comment

Cybersecurity Solutions

Cyber Hygiene Checklist: Back to the Basics

by RSI Security October 16, 2025October 17, 2025

written by RSI Security

In today’s hyperconnected world, cybersecurity threats are more widespread and sophisticated than ever. Both organizations and individuals face growing risks from cyberattacks that often exploit simple human errors and overlooked system vulnerabilities. IT teams are under constant pressure to maintain performance while adapting to new technologies and evolving threats. Yet, with limited resources and a global shortage of skilled professionals, maintaining strong cyber hygiene is one of the most effective ways to close security gaps and build long-term resilience.

October 16, 2025October 17, 2025 0 comment

Virtual CISO

Top Benefits of Hiring a vCISO

by RSI Security October 6, 2025October 7, 2025

written by RSI Security

Cybersecurity leadership is critical to every organization’s success, and that’s where vCISO services make a difference. As data breaches and ransomware attacks rise globally, businesses face billions in losses every year. Cybersecurity Ventures’ 2024 Cybercrime Report projects that cybercrime will cost the global economy $10.5 trillion annually by 2025, up from $3 trillion in 2015. These losses stem from data destruction, theft, fraud, and reputational harm.

To combat this, governments are tightening cybersecurity regulations, and organizations are turning to virtual Chief Information Security Officer (vCISO) services to strengthen their defenses and meet compliance demands.

October 6, 2025October 7, 2025 0 comment

Third Party Risk Management

Phishing Risk by Industry 2025: Benchmarks & Threat Insights

by RSI Security October 3, 2025October 3, 2025

written by RSI Security

Phishing Risk by Industry: Key Insights from KnowBe4’s 2025 Benchmarking Report

Phishing continues to dominate the threat landscape in 2025. As attackers evolve their tactics to bypass technical defenses, businesses face a critical question: How likely are employees to fall for a phishing attempt?

KnowBe4’s latest Phishing by Industry Benchmarking Report 2025 provides a data-driven answer. Based on results from 56 million simulated phishing tests across 55,000+ organizations, the report reveals average Phishing-Prone Percentages (PPP) across industry sectors, company sizes, and regions.

Let’s explore the top takeaways, and how to proactively reduce your organization’s phishing risk.

What is the Phishing-Prone Percentage (PPP)?

The Phishing-Prone Percentage (PPP) is the percentage of users who clicked on a simulated phishing email during testing. It reflects how vulnerable your employees are to phishing before any training.

In the 2025 benchmarking study, KnowBe4 analyzed simulation results across:

19 different industry sectors
9 geographic regions
3 company size categories

The findings deliver critical insight into how susceptible specific verticals are, and how well training programs actually work.

Initial Phishing Risk in 2025: Benchmarking by Industry

The average baseline PPP across all industries was 34.3 percent, meaning over one in three employees clicked on a phishing link without training. But some industries performed significantly worse.

Industries with the Highest Initial PPPs:

Hospitality – 52.9%
Education – 50.2%
Pharmaceuticals – 48.2%
Healthcare & Medical – 46.9%
Energy & Utilities – 45.8%

These sectors are high-risk due to sensitive data, high employee turnover, or frequent external communication, all factors that increase phishing vulnerability.

Industries with the Lowest Initial PPPs:

Technology – 28.5%
Finance & Banking – 29.8%
Insurance – 30.1%

Organizations in these industries tend to have more mature cybersecurity programs and stricter access controls.

Phishing Risk by Company Size

Company size plays a role in phishing vulnerability, but not in the way many expect:

Small organizations (1–249 employees): More vulnerable due to limited resources
Mid-sized organizations (1,000–2,500 employees): Highest average PPP across the board
Large enterprises (10,000+ employees): Lower PPPs thanks to stronger governance and layered defenses

Regardless of size, no organization is immune, especially without ongoing training.

Assess your Third Party Risk Management

Training Works: How PPP Drops Over Time

The most impactful takeaway from KnowBe4’s 2025 report? Security awareness training works, fast and sustainably.

Organizations that implemented consistent phishing simulations and training saw a massive drop in PPP:

Timeline After Training	Average PPP
Initial Baseline	34.3%
After 90 Days	17.2%
After 12 Months	4.6%

That’s an 86 percent reduction in phishing vulnerability over one year.

Phishing Tactics: What Lures Are Employees Falling For?

KnowBe4’s simulations use real-world phishing templates designed to mimic what attackers actually send. The most effective lures in 2025 include:

IT alerts: “Password expired. Click here to reset.”
Delivery notifications: “FedEx: Your package is delayed.”
HR notices: “Policy update: View changes to PTO benefits.”
Account security warnings: “Suspicious login detected.”

These messages rely on urgency, fear, or curiosity, triggering emotional responses before critical thinking kicks in.

How to Reduce Phishing Risk in Your Organization

Based on the 2025 benchmark data, here are the most effective strategies for reducing phishing exposure:

Invest in Security Awareness Training: Train employees continuously, not just once a year. Tailor content by department and role.
Launch Ongoing Phishing Simulations: Test your workforce with simulated phishing campaigns. Use results to identify high-risk users.
Measure Your Own PPP and Benchmark It: Compare your phishing-prone rate against KnowBe4’s industry averages to assess your risk.
Layer Technical Controls: Use secure email gateways, DNS filtering, and multi-factor authentication to block phishing payloads.
Build a Security-First Culture: Reward users for reporting suspicious emails and normalize asking IT for help.

In Closing: Understand the Risk, Train to Prevent It

The Phishing by Industry Benchmarking Report 2025 underscores a hard truth: technical defenses alone aren’t enough. People are the last line of defense, and often the first target.

The most at-risk industries in 2025 are those that interact with sensitive data, the public, or third-party vendors. But no sector is truly safe without training.

Want to benchmark your organization’s PPP and improve employee resilience? RSI Security provides tailored phishing simulation services, role-based awareness training, and advisory to help reduce human cyber risk.

Schedule A Third Party Risk Management service

October 3, 2025October 3, 2025 0 comment

Penetration Testing Security Program Advisory

Your Web Application Penetration Testing Checklist

by RSI Security September 30, 2025October 2, 2025

written by RSI Security

If your organization builds or relies on web applications for critical operations, web application penetration testing is essential. This updated guide follows OWASP’s latest standards and aligns with RSI Security’s risk-informed approach to testing. Regular penetration testing helps organizations uncover vulnerabilities, fix security gaps, and ensure their applications are resilient against evolving cyber threats.

September 30, 2025October 2, 2025 0 comment

Penetration Testing Threat & Vulnerability Management

What is the Difference Between a VA Scan and a Pen Test?

by RSI Security September 25, 2025September 26, 2025

written by RSI Security

In cybersecurity, identifying vulnerabilities is only half the battle. To build a strong defense, organizations must regularly scan for weaknesses and test their systems through penetration testing. Penetration testing and vulnerability assessments are both essential, but they serve different purposes.

This guide explains how each works, when to use them, and how they can work together to protect sensitive data and critical systems.

September 25, 2025September 26, 2025 0 comment

Virtual CISO

vCISO vs. CISO: What’s the Difference?

by RSI Security September 12, 2025September 11, 2025

written by RSI Security

The Rising Demand for vCISO Services in Cybersecurity Leadership

With global cybercrime damages expected to reach $10.5 trillion annually by 2025 (Cybersecurity Ventures), organizations are ramping up investments in security infrastructure, talent, and strategy. However, hiring a full-time Chief Information Security Officer (CISO) is out of reach for many. The average total cost of a full-time CISO now exceeds $250,000 annually, not including bonuses, training, and benefits (ZipRecruiter). That’s why vCISO services have emerged as a powerful, cost-effective alternative, offering expert cybersecurity leadership at a fraction of the cost.

September 12, 2025September 11, 2025 0 comment

Penetration Testing

Automated Penetration Testing Best Practices for 2025

by RSI Security September 10, 2025September 11, 2025

written by RSI Security

Automated Penetration Testing Best Practices for 2025

Penetration testing is essential for staying ahead of cybercriminals, but traditional pen tests can be time consuming and resource-heavy. That’s where automated penetration testing comes in. By running regular, targeted, and scalable tests, organizations can continuously improve their defenses while meeting compliance requirements and uncovering exploitable vulnerabilities. Here’s how to make automated pen testing a core part of your cybersecurity strategy.

Target Specific Network Segments for Precision

Unlike manual pen tests that may cover your entire environment at once, automated tools allow you to focus testing efforts on high-risk or mission, critical areas. This approach is ideal for defending against advanced persistent threats (APTs), which typically exploit precise vulnerabilities.

Targeted testing not only reduces scope and cost but also yields deeper insights into specific attack paths like isolated application stacks or critical databases, so you can shore up defenses where it matters most.

By narrowing the scope, organizations can also streamline remediation efforts. IT teams receive clear, actionable findings related to one area at a time, making it easier to prioritize fixes, track progress, and ensure nothing slips through the cracks. Plus, repeated testing of individual segments helps benchmark improvements over time and supports continuous optimization of your overall cybersecurity posture.

Run External, Internal, and Hybrid Tests Regularly

One of the biggest advantages of automation is consistency. Automated penetration testing tools allow you to perform external, internal, and hybrid tests on a regular schedule.

External Tests: Simulate attacks from outsiders targeting internet-facing assets, such as web apps or VPNs.
Internal Tests: Replicate insider threats or post-breach scenarios to assess lateral movement and privilege escalation.
Hybrid Tests: Combine both approaches to simulate real-world, multi-stage attacks that start externally and pivot internally.

This diverse testing strategy helps you uncover different vulnerabilities and better understand your organization’s full attack surface.

Automating these tests ensures consistent timing and coverage, which is critical for identifying threats that emerge between manual testing cycles. It also allows security teams to benchmark performance and response times across different threat scenarios. By maintaining a cadence of varied tests, organizations can track how vulnerabilities evolve, how detection improves, and how controls hold up under pressure. Ultimately, regular automated testing creates a feedback loop that supports long-term cyber resilience and validates incident response protocols in real-time.

Convert Test Results Into Actionable Intelligence

The value of a pen test lies in what you do with the results. After each automated test, your security team along with your CISO or vCISO, should analyze findings and implement mitigation strategies.

That means prioritizing vulnerabilities based on risk severity, potential exploitability, and the systems or data affected. Automated tools often rank threats using standardized scoring systems like CVSS, helping decision-makers triage and address issues quickly. Where needed, patch management processes or access control policies may need to be updated to prevent recurrence.

Beyond remediation, test insights can also strengthen employee training. Use findings to power tabletop exercises and security awareness programs, simulating realistic scenarios based on actual vulnerabilities. For example, if a phishing vector was successfully exploited, a corresponding training module can be built to teach staff how to recognize and report similar threats. This reinforces organizational readiness and sharpens incident response across departments, helping non-technical teams understand their role in security and reducing overall attack surface from the human angle.

Simplify Compliance with Automated Testing

Many regulatory frameworks either require or strongly recommend penetration testing. Automated testing helps meet these requirements consistently, efficiently, and with audit-ready documentation.

Consider these compliance use cases:

PCI DSS: Requires annual and post-change penetration tests under Requirement 11 to verify that vulnerabilities have been addressed effectively. Automated tools help streamline testing schedules, maintain compliance logs, and generate reports for auditors with minimal manual effort.
HIPAA: While it doesn’t explicitly mandate pen testing, HIPAA’s Security Rule calls for regular technical evaluations to ensure safeguards are effective. Automated pen tests can serve as a vital part of this evaluation, identifying threats to electronic protected health information (ePHI) and validating that access controls are functioning properly.
NIST SP 800-53 and CMMC: These frameworks emphasize continuous Risk Assessments and system testing. Automated penetration testing supports these goals with repeatable, scalable testing that can be mapped directly to relevant control families.

Automated pen testing helps you stay ahead of evolving compliance demands, reduces the risk of costly breaches, and positions your organization as a responsible data steward.

Integrate Testing with Broader Security Operations

To maximize the impact of automated penetration testing, it should be tightly integrated with your broader security ecosystem. This means linking test results with your SIEM, threat intelligence platforms, vulnerability management tools, and incident response workflows.

When findings from automated pen tests flow directly into your security operations center (SOC), your team can act faster, correlate alerts with active threats, and fine-tune detection rules based on real-world simulations. This integration also ensures that remediation efforts are tracked and verified, closing the loop between detection and resolution.

Additionally, aligning pen testing outcomes with your organization’s risk register allows leadership to prioritize investments and adjust strategy based on evolving threat landscapes. When automated testing becomes part of daily operations, not just an annual checkbox, it builds a culture of continuous improvement and measurable resilience

Take a Proactive Approach to Cyber Defense

Automated penetration testing combines the sophistication of ethical hacking with the speed and scalability of modern tools. When implemented strategically, it transforms your security posture, providing ongoing visibility into risks, satisfying compliance mandates, and informing smarter decisions.

RSI Security offers tailored automated pen testing solutions for businesses of all sizes. Whether you’re securing cloud infrastructure, remote work environments, or legacy systems, our experts help you optimize testing frequency, scope, and remediation strategies.

Ready to strengthen your cybersecurity program? Purchase a penetration test directly on Our Store or Contact RSI Security today for a consultation.

Request a Consultation for Penetration Testing

September 10, 2025September 11, 2025 0 comment

Threat & Vulnerability Management

AI-Powered Insider Threat Detection

by RSI Security July 18, 2025

written by RSI Security

In cyberdefense, preventing attacks is only half the battle. Teams also need to be ready to detect and respond to incidents that surface. Since cybercriminals are making use of the most advanced technologies, like AI, all forward-thinking organizations need to be doing the same.

July 18, 2025 0 comment

Cyber Attacks Identity and Access Management

Protecting Against Synthetic Identities and Deepfakes

by RSI Security July 9, 2025August 15, 2025

written by RSI Security

Cybersecurity in 2025 is facing a new breed of adversary: one that doesn’t always have a pulse. Synthetic identities and deepfake technologies have evolved from emerging curiosities to urgent threats, capable of bypassing security systems, defrauding financial institutions, and tarnishing reputations in mere moments.

July 9, 2025August 15, 2025 2 comments

Load More Posts