Which industries had the highest phishing risk in 2025?

According to KnowBe4’s 2025 report, the industries with the highest initial Phishing-Prone Percentages (PPP) were Hospitality (52.9%), Education (50.2%), Pharmaceuticals (48.2%), Healthcare & Medical (46.9%), and Energy & Utilities (45.8%).

Which industries had the lowest phishing risk in 2025?

The industries with the lowest initial PPPs were Technology (28.5%), Finance & Banking (29.8%), and Insurance (30.1%). These sectors typically have more advanced cybersecurity programs and stricter access controls.

How does company size impact phishing vulnerability?

Smaller organizations tend to be more vulnerable due to limited security resources. Mid-sized organizations (1,000–2,500 employees) had the highest phishing-prone rates, while large enterprises (10,000+ employees) showed lower PPPs thanks to stronger governance and layered defenses.

Does phishing awareness training really work?

Yes. Organizations that implemented consistent phishing simulations and awareness training reduced their average PPP from 34.3% to 17.2% after 90 days, and down to 4.6% after 12 months—an 86% reduction in phishing vulnerability.

What phishing tactics are most effective in 2025?

The most common phishing lures include IT alerts (e.g., password reset notices), delivery notifications, HR policy updates, and account security warnings. These rely on urgency and fear to trick employees into clicking.

How can organizations reduce phishing risk?

Organizations can reduce phishing risk by investing in ongoing security awareness training, running simulated phishing campaigns, benchmarking their PPP, layering technical defenses such as MFA and email filtering, and promoting a security-first culture.

Cybersecurity Solutions: Tools, Strategies & Expert Guidance

Q: What is the Phishing-Prone Percentage (PPP)?

The Phishing-Prone Percentage (PPP) measures the percentage of users who clicked on a simulated phishing email during testing. It reflects how vulnerable employees are to phishing before any security awareness training.

Virtual CISO

What a vCISO Brings to Small Security Teams

by RSI Security January 9, 2026January 9, 2026

written by RSI Security

Almost every enterprise has a CISO, but most small and growing businesses do not. That’s where a vCISO comes in. Acting as a virtual security leader, a vCISO provides governance, strategic direction, and decision-making support, helping organizations build and mature their security programs without the cost of a full-time executive. For growing teams, a vCISO fills a critical leadership gap and ensures security initiatives align with business goals.

January 9, 2026January 9, 2026 0 comment

Cyber Attacks Cybersecurity Solutions

Weekly Threat Report: Coupang Breach, FFF Compromise, and the Global Rise of AI-Driven Cybercrime

by RSI Security December 4, 2025December 4, 2025

written by RSI Security

This week’s cybersecurity landscape highlights the growing risk of data breaches and cyberattacks worldwide. A major Coupang data breach exposed sensitive information for millions of customers, while the French Football Federation experienced its latest targeted compromise. Meanwhile, security researchers warn that AI-powered cybercrime is accelerating across industries.
From digital marketplaces to national institutions, these incidents emphasize the urgent need for robust identity controls, insider risk mitigation, and AI-aware defensive strategies.

December 4, 2025December 4, 2025 0 comment

Global Cybersecurity Security Program Advisory

The Importance of Having and Maintaining a Data Asset List and how to create one

by RSI Security November 21, 2025November 20, 2025

written by RSI Security

Cybersecurity is no longer just about firewalls, antivirus tools, or encryption protocols. In 2025, with data breaches, regulatory pressure, and AI-driven threats at an all-time high, effective security starts with one essential task: understanding your data through a comprehensive data asset inventory.

Before you can protect sensitive information, you need to know what data you have, where it resides, who can access it, and how it flows across your environment. A well-maintained data asset inventory provides this visibility, helping organizations strengthen cybersecurity, streamline compliance, and improve operational oversight across every department.

November 21, 2025November 20, 2025 0 comment

Cyber Risk Assessments

Cyber Risk: Strategic Insights and Industry Benchmarks from the X-Analytics 2025 Report

by RSI Security November 10, 2025November 13, 2025

written by RSI Security

Cyber Risk is no longer just a technical concern; it’s a critical business and financial priority. The X-Analytics 2025 Annual Research Report highlights how modern organizations face evolving cyber threats, emphasizing that managing cyber risk is essential for strategic decision-making.

Based on proprietary research from 118 data sources across 21 industries, the report doesn’t just offer insights; it challenges business leaders to treat cyber risk with the urgency and importance it demands.

November 10, 2025November 13, 2025 0 comment

Governance, risk management, and compliance

Patch Management

Patch Management Best Practices 2025

by RSI Security November 7, 2025November 7, 2025

written by RSI Security

In 2025, Patch Management has become more critical than ever. As organizations rely on complex, cloud-native systems and AI-driven tools, new vulnerabilities are emerging faster than most teams can respond. A well-structured patch management program is essential to minimize cybersecurity risks, prevent costly downtime, and maintain compliance with frameworks such as NIST, HIPAA, and PCI DSS.

This guide explores the best practices for patch management that help organizations stay resilient, secure, and audit-ready in today’s rapidly evolving threat landscape.

November 7, 2025November 7, 2025 0 comment

Cyber Attacks NIST AI RMF Threat & Vulnerability Management

AI Attack Vectors: How Intelligent Threats Are Redefining Cybersecurity Defense

by RSI Security October 31, 2025October 31, 2025

written by RSI Security

The digital arms race is accelerating, and artificial intelligence (AI) is becoming both a weapon and a target. As AI systems increasingly interact, a new generation of attack vectors is emerging, where one intelligent system exploits another’s weaknesses at machine speed.

These aren’t theoretical threats. From prompt injection to feedback loop manipulation, malicious AI systems are already probing and exploiting vulnerabilities in other AIs. Understanding these attack vectors is critical to defending the next wave of intelligent infrastructure and maintaining trust in automated decision-making.

October 31, 2025October 31, 2025 0 comment

PCI DSS Penetration Testing

Understanding PCI 11.4.1

by RSI Security October 17, 2025October 17, 2025

written by RSI Security

Achieving PCI DSS compliance requires implementing and testing multiple security controls to protect cardholder data. One of the most demanding requirements, PCI DSS 11.4.1, calls for both internal and external penetration testing to proactively detect and mitigate emerging threats.
Is your organization ready to meet the latest PCI DSS 11.4.1 standards? Request a consultation today to ensure you’re fully compliant.

October 17, 2025October 17, 2025 0 comment

Cybersecurity Solutions

Cyber Hygiene Checklist: Back to the Basics

by RSI Security October 16, 2025October 17, 2025

written by RSI Security

In today’s hyperconnected world, cybersecurity threats are more widespread and sophisticated than ever. Both organizations and individuals face growing risks from cyberattacks that often exploit simple human errors and overlooked system vulnerabilities. IT teams are under constant pressure to maintain performance while adapting to new technologies and evolving threats. Yet, with limited resources and a global shortage of skilled professionals, maintaining strong cyber hygiene is one of the most effective ways to close security gaps and build long-term resilience.

October 16, 2025October 17, 2025 0 comment

Virtual CISO

Top Benefits of Hiring a vCISO

by RSI Security October 6, 2025October 7, 2025

written by RSI Security

Cybersecurity leadership is critical to every organization’s success, and that’s where vCISO services make a difference. As data breaches and ransomware attacks rise globally, businesses face billions in losses every year. Cybersecurity Ventures’ 2024 Cybercrime Report projects that cybercrime will cost the global economy $10.5 trillion annually by 2025, up from $3 trillion in 2015. These losses stem from data destruction, theft, fraud, and reputational harm.

To combat this, governments are tightening cybersecurity regulations, and organizations are turning to virtual Chief Information Security Officer (vCISO) services to strengthen their defenses and meet compliance demands.

October 6, 2025October 7, 2025 0 comment

Third Party Risk Management

Phishing Risk by Industry 2025: Benchmarks & Threat Insights

by RSI Security October 3, 2025December 5, 2025

written by RSI Security

Phishing Risk continues to dominate the threat landscape in 2025. As attackers evolve their tactics to bypass technical defenses, businesses face a critical question: How likely are employees to fall for a phishing attempt?

KnowBe4’s latest Phishing by Industry Benchmarking Report 2025 provides a data-driven answer. Based on results from 56 million simulated phishing tests across 55,000+ organizations, the report reveals average Phishing-Prone Percentages (PPP) across industry sectors, company sizes, and regions.Let’s explore the top takeaways, and how to proactively reduce your organization’s phishing risk.

What is the Phishing-Prone Percentage (PPP)?

The Phishing-Prone Percentage (PPP) is the percentage of users who clicked on a simulated phishing email during testing. It reflects how vulnerable your employees are to phishing before any training.

In the 2025 benchmarking study, KnowBe4 analyzed simulation results across:

19 different industry sectors
9 geographic regions
3 company size categories

The findings deliver critical insight into how susceptible specific verticals are, and how well training programs actually work.

Initial Phishing Risk in 2025: Benchmarking by Industry

The average baseline PPP across all industries was 34.3 percent, meaning over one in three employees clicked on a phishing link without training. But some industries performed significantly worse.

Industries with the Highest Initial PPPs:

Hospitality – 52.9%
Education – 50.2%
Pharmaceuticals – 48.2%
Healthcare & Medical – 46.9%
Energy & Utilities – 45.8%

These sectors are high-risk due to sensitive data, high employee turnover, or frequent external communication, all factors that increase phishing vulnerability.

Industries with the Lowest Initial PPPs:

Technology – 28.5%
Finance & Banking – 29.8%
Insurance – 30.1%

Organizations in these industries tend to have more mature cybersecurity programs and stricter access controls.

Phishing Risk by Company Size

Company size plays a role in phishing vulnerability, but not in the way many expect:

Small organizations (1–249 employees): More vulnerable due to limited resources
Mid-sized organizations (1,000–2,500 employees): Highest average PPP across the board
Large enterprises (10,000+ employees): Lower PPPs thanks to stronger governance and layered defenses

Regardless of size, no organization is immune, especially without ongoing training.

Assess your Third Party Risk Management

Training Works: How PPP Drops Over Time

The most impactful takeaway from KnowBe4’s 2025 report? Security awareness training works, fast and sustainably.

Organizations that implemented consistent phishing simulations and training saw a massive drop in PPP:

Timeline After Training	Average PPP
Initial Baseline	34.3%
After 90 Days	17.2%
After 12 Months	4.6%

That’s an 86 percent reduction in phishing vulnerability over one year.

Phishing Tactics: What Lures Are Employees Falling For?

KnowBe4’s simulations use real-world phishing templates designed to mimic what attackers actually send. The most effective lures in 2025 include:

IT alerts: “Password expired. Click here to reset.”
Delivery notifications: “FedEx: Your package is delayed.”
HR notices: “Policy update: View changes to PTO benefits.”
Account security warnings: “Suspicious login detected.”

These messages rely on urgency, fear, or curiosity, triggering emotional responses before critical thinking kicks in.

How to Reduce Phishing Risk in Your Organization

Based on the 2025 benchmark data, here are the most effective strategies for reducing phishing exposure:

Invest in Security Awareness Training: Train employees continuously, not just once a year. Tailor content by department and role.
Launch Ongoing Phishing Simulations: Test your workforce with simulated phishing campaigns. Use results to identify high-risk users.
Measure Your Own PPP and Benchmark It: Compare your phishing-prone rate against KnowBe4’s industry averages to assess your risk.
Layer Technical Controls: Use secure email gateway, DNS filtering, and multi-factor authentication to block phishing payloads.
Build a Security-First Culture: Reward users for reporting suspicious emails and normalize asking IT for help.

In Closing: Understand the Risk, Train to Prevent It

The Phishing by Industry Benchmarking Report 2025 underscores a hard truth: technical defenses alone aren’t enough. People are the last line of defense, and often the first target.

The most at-risk industries in 2025 are those that interact with sensitive data, the public, or third-party vendors. But no sector is truly safe without training.

Want to benchmark your organization’s PPP and improve employee resilience? RSI Security provides tailored phishing simulation services, role-based awareness training, and advisory to help reduce human cyber risk.

Schedule A Third Party Risk Management service

October 3, 2025December 5, 2025 0 comment