#Japan #Cybersecurity #Tokyo #KnowBe4 #Phishing

KnowBe4 Japan's 2025 Phishing Benchmarking Report

KnowBe4 Japan, a leader in human risk management and organizational security culture development, has recently released the "2025 Phishing Benchmarking Report for the Asia Region." This report aims to provide insights into phishing susceptibility and the vulnerabilities organizations face due to social engineering threats.

One of the key metrics included in the report is the "Phish-prone™ Percentage (PPP)" which indicates the proportion of employees likely to fall for phishing scams within various industries. This year's report highlights a global baseline PPP of 33.1%, suggesting that before initiating security awareness training (SAT), about one in three employees were susceptible to simulated phishing attacks.

Data presented in the report underscores the substantial impact of SAT on risk mitigation. It was found that global PPP scores dropped significantly after the training was implemented. Specifically, a 40% decrease was observed within just three months, and a staggering 86% over a subsequent twelve months. This demonstrates that effective and continuous training instills lasting behavior changes and significantly reduces vulnerability to cyber threats, marking the importance of ongoing security education in creating a robust security culture within organizations.

In this report, KnowBe4 analyzed data from 62,400 organizations and more than 14.5 million users, aggregating results from over 67.7 million global phishing simulation tests. The reported baseline PPP of 33.1% reflects the vulnerability of organizations prior to implementing KnowBe4's training strategy. Employees underwent SAT and after ninety days, their PPP was recalculated; additional long-term training for over a year further quantified the effectiveness of the program.

Key Findings on a Global Scale:

• - The top three industries with the highest phishing risk include Healthcare and Pharmaceuticals at 41.9%, Insurance at 39.2%, and Retail at 36.5%.
• - Large organizations with over 10,000 employees showed an initial risk of 40.5%, compared to just 24.6% in organizations with 1 to 250 employees.
• - Within organizations of 1,000-9,999 employees, significant improvements of 91% in PPP scores were achieved in the Healthcare, Hospitality, and Legal sectors after a year of continuous training.
• - Regionally, South America exhibited the highest baseline PPP at 39.1%, North America at 37.1%, and Australia/New Zealand at 36.8%.

Insights from the Asia Region:

• - The Asia region recorded the lowest initial phishing risk worldwide, with a baseline PPP of 28.6%.
• - For organizations with over 1,000 employees, the baseline PPP stands at 29%, while it is significantly lower at 24.3% for those with 1 to 249 employees.
• - The insurance sector recorded the highest baseline PPP at 43.6%, exceeding the regional average by 15%. Other high-risk sectors include Banking at 39.1%, Education at 37.9%, Hospitality at 36.7%, and Non-Profit organizations at 33%.

With the rise of generative AI making phishing emails in various languages easier to produce, non-native English speakers are increasingly likely to disregard potentially suspicious emails, thereby amplifying attack risks.

Stuart Shauerman, CEO of KnowBe4 commented, "Data doesn't lie. It's clear that the effectiveness of security awareness training is distinctly represented in these statistics. Trends from 2024 to 2025 show many employees—about a third—clicked simulated phishing links before training. However, by 2025, we see slight improvements; a 3.5% reduction in global baseline PPP indicates a positive shift in security awareness. Nonetheless, full eradication of phishing risk necessitates a further push in consciousness within each organization. Prioritizing relevant, participative training alongside simulation can strengthen human risk management strategies and enhance organizational security culture."

As the security evangelist at KnowBe4 Japan, Tsutomu Hirose, remarked on the report's findings, "Cyberattacks have become increasingly sophisticated, particularly those targeting individuals. Even with robust technical measures, vulnerabilities will always exist due to human factors in cybersecurity risk. The benchmarking data in this report will enable organizations to analyze their current situations and optimize their attack surface management. Regular phishing training is instrumental in elevating employee security awareness and skills, thus comprehensively strengthening security across the supply chain. Through this report, KnowBe4 hopes that more organizations will adopt data-driven effective security awareness programs, contributing to an overall elevation in organizational security levels."

For more details, please check out the full text of KnowBe4’s 2025 Phishing Benchmarking Report for the Asia region.

To achieve sustainable growth, it is crucial for every employee to perceive human risks and cybersecurity as personal responsibilities. By nurturing a security-focused culture and embedding it into organizational behavior, human risks can be significantly minimized. KnowBe4 Japan will continue to support the development of a security culture through its human risk management platform, HRM+, assisting organizations in effectively managing their risks.