Category: Third Party Risk Management

Phishing Risk continues to dominate the threat landscape in 2025. As attackers evolve their tactics to bypass technical defenses, businesses face a critical question: How likely are employees to fall for a phishing attempt?

KnowBe4’s latest Phishing by Industry Benchmarking Report 2025 provides a data-driven answer. Based on results from 56 million simulated phishing tests across 55,000+ organizations, the report reveals average Phishing-Prone Percentages (PPP) across industry sectors, company sizes, and regions.Let’s explore the top takeaways, and how to proactively reduce your organization’s phishing risk.

 

What is the Phishing-Prone Percentage (PPP)?

The Phishing-Prone Percentage (PPP) is the percentage of users who clicked on a simulated phishing email during testing. It reflects how vulnerable your employees are to phishing before any training.

In the 2025 benchmarking study, KnowBe4 analyzed simulation results across:

• 19 different industry sectors
• 9 geographic regions
• 3 company size categories

The findings deliver critical insight into how susceptible specific verticals are, and how well training programs actually work.

Initial Phishing Risk in 2025: Benchmarking by Industry

The average baseline PPP across all industries was 34.3 percent, meaning over one in three employees clicked on a phishing link without training. But some industries performed significantly worse.

Industries with the Highest Initial PPPs:

• Hospitality – 52.9%
• Education – 50.2%
• Pharmaceuticals – 48.2%
• Healthcare & Medical – 46.9%
• Energy & Utilities – 45.8%

These sectors are high-risk due to sensitive data, high employee turnover, or frequent external communication, all factors that increase phishing vulnerability.

Industries with the Lowest Initial PPPs:

• Technology – 28.5%
• Finance & Banking – 29.8%
• Insurance – 30.1%

Organizations in these industries tend to have more mature cybersecurity programs and stricter access controls.

 

Phishing Risk by Company Size

Company size plays a role in phishing vulnerability, but not in the way many expect:

• Small organizations (1–249 employees): More vulnerable due to limited resources
• Mid-sized organizations (1,000–2,500 employees): Highest average PPP across the board
• Large enterprises (10,000+ employees): Lower PPPs thanks to stronger governance and layered defenses

Regardless of size, no organization is immune, especially without ongoing training.

 

Assess your Third Party Risk Management

 

Training Works: How PPP Drops Over Time

The most impactful takeaway from KnowBe4’s 2025 report? Security awareness training works, fast and sustainably.

Organizations that implemented consistent phishing simulations and training saw a massive drop in PPP:

Timeline After Training	Average PPP
Initial Baseline	34.3%
After 90 Days	17.2%
After 12 Months	4.6%

That’s an 86 percent reduction in phishing vulnerability over one year.

 

Phishing Tactics: What Lures Are Employees Falling For?

KnowBe4’s simulations use real-world phishing templates designed to mimic what attackers actually send. The most effective lures in 2025 include:

• IT alerts: “Password expired. Click here to reset.”
• Delivery notifications: “FedEx: Your package is delayed.”
• HR notices: “Policy update: View changes to PTO benefits.”
• Account security warnings: “Suspicious login detected.”

These messages rely on urgency, fear, or curiosity, triggering emotional responses before critical thinking kicks in.

 

How to Reduce Phishing Risk in Your Organization

Based on the 2025 benchmark data, here are the most effective strategies for reducing phishing exposure:

• Invest in Security Awareness Training: Train employees continuously, not just once a year. Tailor content by department and role.
• Launch Ongoing Phishing Simulations: Test your workforce with simulated phishing campaigns. Use results to identify high-risk users.
• Measure Your Own PPP and Benchmark It: Compare your phishing-prone rate against KnowBe4’s industry averages to assess your risk.
• Layer Technical Controls: Use secure email gateway, DNS filtering, and multi-factor authentication to block phishing payloads.
• Build a Security-First Culture: Reward users for reporting suspicious emails and normalize asking IT for help.

 

In Closing: Understand the Risk, Train to Prevent It

The Phishing by Industry Benchmarking Report 2025 underscores a hard truth: technical defenses alone aren’t enough. People are the last line of defense, and often the first target.

The most at-risk industries in 2025 are those that interact with sensitive data, the public, or third-party vendors. But no sector is truly safe without training.

Want to benchmark your organization’s PPP and improve employee resilience? RSI Security provides tailored phishing simulation services, role-based awareness training, and advisory to help reduce human cyber risk.

 

Schedule A Third Party Risk Management service

In cybersecurity terms, a “risk” represents how much harm a threat or vulnerability can cause to your personnel, clientele, and other stakeholders. The role of risk control in risk management is to proactively prevent and mitigate these threats, keeping an organization secure. (more…)

Millions of customer and patient records are exposed every year as a result of ongoing data breaches that target every industry imaginable. A foolproof data breach management policy can help your team respond to these events, even mitigating some attacks from ever occurring in the first place—as long as everyone in your team is on the same page. (more…)

Implementing an integrated risk management process comes down to the following steps:

• Installing cybersecurity architecture to minimize risk development
• Monitoring for, identifying, and prioritizing risks for mitigation
• Addressing and completely resolving incidents as they appear
• Maintaining regulatory compliance in the face of security risks
• Ensuring long-term security through continuity practices

(more…)

Third party risk management (TPRM) depends on effective third party risk monitoring. Dramatic stakes necessitate accurate scoping, vulnerability analysis, and (ideally) advanced techniques. (more…)

Vendors, suppliers, contractors, and other strategic partners all add to the scope of your IT environment, including additional risks to be managed. Accounting for the vulnerabilities and threats that come with the territory through third party risk management is a necessity to keep all stakeholders involved secure. (more…)

Impactful, efficient third party vendor risk management comes down to five critical steps: (more…)

Financial institutions with extended networks of strategic partners need to manage the risks that come along with navigating multiple IT environments simultaneously. Impactful third party risk management finds and neutralizes these threats, vulnerabilities, and compliance risks. (more…)

Years ago, businesses were relatively self-contained. The most important stakeholders were generally internal to a company, and strategic partners were fewer and more carefully chosen. Now, the globalized business environment we operate in is very different. Companies of all kinds and sizes make outsourcing a key component of their business model. That’s why a third-party risk assessment questionnaire is vital for any business.

(more…)

Third-party risk assessment checklists are growing more necessary with the expansion of digital transformation. Organizations of all sizes are vulnerable to back-door attacks in ways that they weren’t a decade ago.

Imagine that your company spent thousands of dollars and hundreds of work hours meeting compliance standards. You invested in risk assessments, penetration testing, and you have a strong policy for software patching and employee phishing training. And after all you’ve done, your network is compromised thanks to lax cybersecurity on the part of one of your third-party vendors.

Unfortunately, the scenario above was true for over half of the security breaches in 2018, and the number of back-door hacks through third-party vendors is rising. It’s for this reason that your organization may require a third-party vendor management checklist.

 

What is a Third-Party Vendor Risk Assessment Checklist?

A vendor risk assessment checklist is an internal document that your cybersecurity team can use to ensure that you are safe from cyber attacks through third party vendor vulnerabilities. Typically, your vendor risk management checklist is one piece of a broader vendor management cybersecurity policy.

The purpose of this guide is to discuss whether or not your organization needs a third-party vendor management checklist. If it does, then we’ve outlined a working checklist to get you started on establishing a sustainable third-party risk management strategy.

 

How Do You Know if Your Business Needs a Third-Party Vendor Management Checklist?

It’s true that not every organization needs a third-party vendor management checklist. If your operation is small and doesn’t manage sensitive data – like consumer personally identifiable information (PII), employee, or proprietary information – then a vendor risk management checklist may not be necessary.

Also, if you do not allow any vendors access to sensitive information, you may not need a vendor risk assessment checklist. However, you may need to have one if you intend to share sensitive information or grant network access to a third-party in the near future. Here are three reasons that your business may need a vendor management checklist.

 

Assess your Third Party Risk Management

 

If Any Third Party Vendor has Access to Your Network or Data

Most businesses partner with a third-party to serve clients. If any vendor has access to your network or data, then there’s a good chance that your business needs a vendor management checklist. This access could include remote access or vendor employees that visit your campus to fulfill their contracted services.

If Your Business Must Meet Data Security or Consumer Data Privacy Compliance Standards

Organizations that collect, manage, and share consumer data are accountable to at least one – usually more than one – set of consumer data privacy laws. Those organizations managing medical data must meet strict compliance standards relating to consumer data privacy and cybersecurity measures. If your business is one of those organizations and partners with vendors in any capacity, you will most surely need a vendor management checklist.

 

If the Value of the Data Exceeds Prevention Costs

Your business and client information holds a certain amount of monetary value. Should you lose the data, you should know the financial loss associated with that lost/stolen data. If those costs exceed the cost of preventative measures – such as cybersecurity, third-party vendor management policies, penetration testing, etc. – then you must make sure that your vendors do not compromise that security.

 

What is Included in a Vendor Risk Assessment Checklist?

If you’ve determined that your organization needs a third-party vendor management checklist, then the following set of questions will help you establish a third-party management program.

It’s important to keep in mind that this questionnaire is by no means exhaustive. Your checklist may need to be more or less detailed depending upon your industry and the nature of your business.

 

Is your organization compliant?

This should go without saying. However, a surprising number of organizations concerned with third-party risk fail to meet minimum cybersecurity standards themselves. Investing in your own cybersecurity by ensuring compliance, training staff, and maintaining patching/updates is the first critical step in securing your network.

 

Have you created a vendor management cybersecurity policy?

If you work with or plan to work with third-party vendors, then company decision-makers should have a clear third-party management cybersecurity policy. The policy should outline how you determine if a vendor is a good choice, as well as how you engage your vendors on security controls. Your vendor risk assessment checklist forms only a piece of your overall vendor management policy.

 

Do you have an accurate, up-to-date data map?

Your data map shows all information that flows in and out of your organization. As you onboard new vendors, you should have a clear picture of which vendor will have access to what data.

 

Did you perform due diligence on the third-party vendor to validate their credibility?

Your vendors should have valid articles of incorporation, business licenses, proof of relevant compliance, physical locations in accordance with relevant compliance standards, and a list of credible references. You should also check to see if the vendor is on any watch lists (including a global sanctions list), has hired any legally-suspect key staff, or is currently undergoing criminal or civil litigation.

Is the third party vendor in any kind of financial duress?

It is appropriate to examine available financial statements and tax documents from your third- party vendors. Financial vulnerabilities often translate into mismanaged security.

 

Does the vendor have a history of security breaches?

Vendors with a history of security breaches could indicate poor security policies and procedures. If they have endured a breach in the past, they should provide proof that they’ve performed the necessary updates and penance projects to secure their and their clients’ networks.

 

Have you reviewed the vendor’s cybersecurity policies and procedures?

Examining your vendors’ cybersecurity policies and procedures is a great indicator of how seriously they take their security and the security of their clients.

 

Have you reviewed the vendor’s incident response plan?

It’s critical that your vendor have a process for dealing with security incidents, no matter how small. Breach attempts often signal vulnerabilities. Organizations that monitor those attempts and patch software weaknesses are in a good position to protect their and your data.

 

Does the vendor contract clearly state security expectations?

Third-party vendor contracts should reflect your vendor management expectations as stated in your vendor management cybersecurity policy.

 

Does the vendor contract allow you to terminate the work agreement if the vendor fails to meet security standards?

Should it become apparent that one of your vendors is negligent or dishonest about their security policies and procedures, you must be free to take your business elsewhere.

 

Is the vendor willing/able to disclose cybersecurity risk assessment results?

A risk assessment is one of the best ways to quantify cybersecurity risk in real dollars and cents. Reviewing a vendor’s assessment results will give you a clear picture of your third-party risk.

 

Is the vendor willing/able to complete third-party risk assessment questionnaires as needed?

Most vendor management policies include recurring security questionnaires. How your vendors answer these questionnaires is also a valid way to assess your vendor risk.

 

Is the vendor willing/able to provide penetration testing results?

If your vendors are serious about cybersecurity, they’ve likely invested in penetration testing. Reviewing those pen test results will help you further measure up your vendor’s security policies and procedures.

 

Do you have someone assigned to manage your third-party risk?

The most important part of your vendor management cybersecurity policy is assigning a person or team to monitoring third-party risk. Outlining vendor management responsibilities ensures that your vendors don’t compromise your data or network.

 

Key Takeaways

If your organization manages sensitive information and hires third-party vendors to handle certain tasks, you more than likely need a vendor management cybersecurity policy and a third- party vendor management checklist.

At RSI Security, we assist small and medium-sized businesses with affordable and reliable cybersecurity support. Our third-party risk management services oversee all matters pertaining to vendor risk management and back-door cyber attacks.