Which industries had the highest phishing risk in 2025?

According to KnowBe4’s 2025 report, the industries with the highest initial Phishing-Prone Percentages (PPP) were Hospitality (52.9%), Education (50.2%), Pharmaceuticals (48.2%), Healthcare & Medical (46.9%), and Energy & Utilities (45.8%).

Which industries had the lowest phishing risk in 2025?

The industries with the lowest initial PPPs were Technology (28.5%), Finance & Banking (29.8%), and Insurance (30.1%). These sectors typically have more advanced cybersecurity programs and stricter access controls.

How does company size impact phishing vulnerability?

Smaller organizations tend to be more vulnerable due to limited security resources. Mid-sized organizations (1,000–2,500 employees) had the highest phishing-prone rates, while large enterprises (10,000+ employees) showed lower PPPs thanks to stronger governance and layered defenses.

Does phishing awareness training really work?

Yes. Organizations that implemented consistent phishing simulations and awareness training reduced their average PPP from 34.3% to 17.2% after 90 days, and down to 4.6% after 12 months—an 86% reduction in phishing vulnerability.

What phishing tactics are most effective in 2025?

The most common phishing lures include IT alerts (e.g., password reset notices), delivery notifications, HR policy updates, and account security warnings. These rely on urgency and fear to trick employees into clicking.

How can organizations reduce phishing risk?

Organizations can reduce phishing risk by investing in ongoing security awareness training, running simulated phishing campaigns, benchmarking their PPP, layering technical defenses such as MFA and email filtering, and promoting a security-first culture.

Cyber Risk Assessments

Cyber Risk: Strategic Insights and Industry Benchmarks from the X-Analytics 2025 Report

by RSI Security November 10, 2025November 13, 2025

written by RSI Security

Cyber Risk is no longer just a technical concern; it’s a critical business and financial priority. The X-Analytics 2025 Annual Research Report highlights how modern organizations face evolving cyber threats, emphasizing that managing cyber risk is essential for strategic decision-making.

Based on proprietary research from 118 data sources across 21 industries, the report doesn’t just offer insights; it challenges business leaders to treat cyber risk with the urgency and importance it demands.

November 10, 2025November 13, 2025 0 comment

Governance, risk management, and compliance

Patch Management

Patch Management Best Practices 2025

by RSI Security November 7, 2025November 7, 2025

written by RSI Security

In 2025, Patch Management has become more critical than ever. As organizations rely on complex, cloud-native systems and AI-driven tools, new vulnerabilities are emerging faster than most teams can respond. A well-structured patch management program is essential to minimize cybersecurity risks, prevent costly downtime, and maintain compliance with frameworks such as NIST, HIPAA, and PCI DSS.

This guide explores the best practices for patch management that help organizations stay resilient, secure, and audit-ready in today’s rapidly evolving threat landscape.

November 7, 2025November 7, 2025 0 comment

AI Attack Vectors: How Intelligent Threats Are Redefining Cybersecurity Defense

by RSI Security October 31, 2025October 31, 2025

written by RSI Security

The digital arms race is accelerating, and artificial intelligence (AI) is becoming both a weapon and a target. As AI systems increasingly interact, a new generation of attack vectors is emerging, where one intelligent system exploits another’s weaknesses at machine speed.

These aren’t theoretical threats. From prompt injection to feedback loop manipulation, malicious AI systems are already probing and exploiting vulnerabilities in other AIs. Understanding these attack vectors is critical to defending the next wave of intelligent infrastructure and maintaining trust in automated decision-making.

October 31, 2025October 31, 2025 0 comment

PCI DSS Penetration Testing

Understanding PCI 11.4.1

by RSI Security October 17, 2025October 17, 2025

written by RSI Security

Achieving PCI DSS compliance requires implementing and testing multiple security controls to protect cardholder data. One of the most demanding requirements, PCI DSS 11.4.1, calls for both internal and external penetration testing to proactively detect and mitigate emerging threats.
Is your organization ready to meet the latest PCI DSS 11.4.1 standards? Request a consultation today to ensure you’re fully compliant.

October 17, 2025October 17, 2025 0 comment

Cybersecurity Solutions

Cyber Hygiene Checklist: Back to the Basics

by RSI Security October 16, 2025October 17, 2025

written by RSI Security

In today’s hyperconnected world, cybersecurity threats are more widespread and sophisticated than ever. Both organizations and individuals face growing risks from cyberattacks that often exploit simple human errors and overlooked system vulnerabilities. IT teams are under constant pressure to maintain performance while adapting to new technologies and evolving threats. Yet, with limited resources and a global shortage of skilled professionals, maintaining strong cyber hygiene is one of the most effective ways to close security gaps and build long-term resilience.

October 16, 2025October 17, 2025 0 comment

Virtual CISO

Top Benefits of Hiring a vCISO

by RSI Security October 6, 2025October 7, 2025

written by RSI Security

Cybersecurity leadership is critical to every organization’s success, and that’s where vCISO services make a difference. As data breaches and ransomware attacks rise globally, businesses face billions in losses every year. Cybersecurity Ventures’ 2024 Cybercrime Report projects that cybercrime will cost the global economy $10.5 trillion annually by 2025, up from $3 trillion in 2015. These losses stem from data destruction, theft, fraud, and reputational harm.

To combat this, governments are tightening cybersecurity regulations, and organizations are turning to virtual Chief Information Security Officer (vCISO) services to strengthen their defenses and meet compliance demands.

October 6, 2025October 7, 2025 0 comment

Third Party Risk Management

Phishing Risk by Industry 2025: Benchmarks & Threat Insights

by RSI Security October 3, 2025October 3, 2025

written by RSI Security

Phishing Risk by Industry: Key Insights from KnowBe4’s 2025 Benchmarking Report

Q: What is the Phishing-Prone Percentage (PPP)?

The Phishing-Prone Percentage (PPP) measures the percentage of users who clicked on a simulated phishing email during testing. It reflects how vulnerable employees are to phishing before any security awareness training.

Phishing continues to dominate the threat landscape in 2025. As attackers evolve their tactics to bypass technical defenses, businesses face a critical question: How likely are employees to fall for a phishing attempt?

KnowBe4’s latest Phishing by Industry Benchmarking Report 2025 provides a data-driven answer. Based on results from 56 million simulated phishing tests across 55,000+ organizations, the report reveals average Phishing-Prone Percentages (PPP) across industry sectors, company sizes, and regions.

Let’s explore the top takeaways, and how to proactively reduce your organization’s phishing risk.

What is the Phishing-Prone Percentage (PPP)?

The Phishing-Prone Percentage (PPP) is the percentage of users who clicked on a simulated phishing email during testing. It reflects how vulnerable your employees are to phishing before any training.

In the 2025 benchmarking study, KnowBe4 analyzed simulation results across:

19 different industry sectors
9 geographic regions
3 company size categories

The findings deliver critical insight into how susceptible specific verticals are, and how well training programs actually work.

Initial Phishing Risk in 2025: Benchmarking by Industry

The average baseline PPP across all industries was 34.3 percent, meaning over one in three employees clicked on a phishing link without training. But some industries performed significantly worse.

Industries with the Highest Initial PPPs:

Hospitality – 52.9%
Education – 50.2%
Pharmaceuticals – 48.2%
Healthcare & Medical – 46.9%
Energy & Utilities – 45.8%

These sectors are high-risk due to sensitive data, high employee turnover, or frequent external communication, all factors that increase phishing vulnerability.

Industries with the Lowest Initial PPPs:

Technology – 28.5%
Finance & Banking – 29.8%
Insurance – 30.1%

Organizations in these industries tend to have more mature cybersecurity programs and stricter access controls.

Phishing Risk by Company Size

Company size plays a role in phishing vulnerability, but not in the way many expect:

Small organizations (1–249 employees): More vulnerable due to limited resources
Mid-sized organizations (1,000–2,500 employees): Highest average PPP across the board
Large enterprises (10,000+ employees): Lower PPPs thanks to stronger governance and layered defenses

Regardless of size, no organization is immune, especially without ongoing training.

Assess your Third Party Risk Management

Training Works: How PPP Drops Over Time

The most impactful takeaway from KnowBe4’s 2025 report? Security awareness training works, fast and sustainably.

Organizations that implemented consistent phishing simulations and training saw a massive drop in PPP:

Timeline After Training	Average PPP
Initial Baseline	34.3%
After 90 Days	17.2%
After 12 Months	4.6%

That’s an 86 percent reduction in phishing vulnerability over one year.

Phishing Tactics: What Lures Are Employees Falling For?

KnowBe4’s simulations use real-world phishing templates designed to mimic what attackers actually send. The most effective lures in 2025 include:

IT alerts: “Password expired. Click here to reset.”
Delivery notifications: “FedEx: Your package is delayed.”
HR notices: “Policy update: View changes to PTO benefits.”
Account security warnings: “Suspicious login detected.”

These messages rely on urgency, fear, or curiosity, triggering emotional responses before critical thinking kicks in.

How to Reduce Phishing Risk in Your Organization

Based on the 2025 benchmark data, here are the most effective strategies for reducing phishing exposure:

Invest in Security Awareness Training: Train employees continuously, not just once a year. Tailor content by department and role.
Launch Ongoing Phishing Simulations: Test your workforce with simulated phishing campaigns. Use results to identify high-risk users.
Measure Your Own PPP and Benchmark It: Compare your phishing-prone rate against KnowBe4’s industry averages to assess your risk.
Layer Technical Controls: Use secure email gateways, DNS filtering, and multi-factor authentication to block phishing payloads.
Build a Security-First Culture: Reward users for reporting suspicious emails and normalize asking IT for help.

In Closing: Understand the Risk, Train to Prevent It

The Phishing by Industry Benchmarking Report 2025 underscores a hard truth: technical defenses alone aren’t enough. People are the last line of defense, and often the first target.

The most at-risk industries in 2025 are those that interact with sensitive data, the public, or third-party vendors. But no sector is truly safe without training.

Want to benchmark your organization’s PPP and improve employee resilience? RSI Security provides tailored phishing simulation services, role-based awareness training, and advisory to help reduce human cyber risk.

Schedule A Third Party Risk Management service

October 3, 2025October 3, 2025 0 comment

Penetration Testing Security Program Advisory

Your Web Application Penetration Testing Checklist

by RSI Security September 30, 2025October 2, 2025

written by RSI Security

If your organization builds or relies on web applications for critical operations, web application penetration testing is essential. This updated guide follows OWASP’s latest standards and aligns with RSI Security’s risk-informed approach to testing. Regular penetration testing helps organizations uncover vulnerabilities, fix security gaps, and ensure their applications are resilient against evolving cyber threats.

September 30, 2025October 2, 2025 0 comment

Penetration Testing Threat & Vulnerability Management

What is the Difference Between a VA Scan and a Pen Test?

by RSI Security September 25, 2025September 26, 2025

written by RSI Security

In cybersecurity, identifying vulnerabilities is only half the battle. To build a strong defense, organizations must regularly scan for weaknesses and test their systems through penetration testing. Penetration testing and vulnerability assessments are both essential, but they serve different purposes.

This guide explains how each works, when to use them, and how they can work together to protect sensitive data and critical systems.

September 25, 2025September 26, 2025 0 comment

Virtual CISO

vCISO vs. CISO: What’s the Difference?

by RSI Security September 12, 2025September 11, 2025

written by RSI Security

The Rising Demand for vCISO Services in Cybersecurity Leadership

With global cybercrime damages expected to reach $10.5 trillion annually by 2025 (Cybersecurity Ventures), organizations are ramping up investments in security infrastructure, talent, and strategy. However, hiring a full-time Chief Information Security Officer (CISO) is out of reach for many. The average total cost of a full-time CISO now exceeds $250,000 annually, not including bonuses, training, and benefits (ZipRecruiter). That’s why vCISO services have emerged as a powerful, cost-effective alternative, offering expert cybersecurity leadership at a fraction of the cost.

September 12, 2025September 11, 2025 0 comment