A new KnowBe4 Africa Human Risk Management Report 2025 has revealed a major disconnect between African business leaders’ confidence in cybersecurity awareness and the reality on the ground.
The report, based on responses from 124 senior cybersecurity leaders across 30 African countries, found that while most organisations rate staff awareness highly, only 10% of leaders are fully confident employees would report phishing attempts or suspicious activity.
Key findings include:
1. Training Gaps Undermine Readiness
- 68% of leaders claim security training is role-specific, yet many employees receive generic, one-size-fits-all programs, often just once or twice a year.
- Manufacturing and healthcare firms are most affected, with 50% and 40% respectively admitting no tailored training at all.
2. Infrequent Phishing Simulations
- 90% of organisations run phishing tests, but only 7% conduct them monthly.
- The majority (40%) test staff just twice a year, leaving employees ill-prepared for real-world threats.
3. BYOD and Shadow AI Risks
- Between 41% and 80% of employees use personal devices for work, many without proper security controls.
- In North Africa, BYOD exposure reaches up to 80%, but training levels remain the lowest.
- 46% of organisations admit their AI governance policies are still “in development”, creating risks from unsanctioned use of AI tools.
4. Regional Contrasts
- Southern Africa leads in training frequency, with 44% of companies conducting quarterly sessions.
- East Africa is ahead on AI governance, with 50% already having formal policies.
- West and Central Africa report the highest number of human-related security breaches.
5. Urgent Call for Change
Anna Collard, SVP at KnowBe4 Africa, warned:
“There’s a disconnect here — between what leaders think is happening and what employees are actually experiencing. Without procedural and cultural follow-through, awareness simply doesn’t translate into readiness.”
The report calls for role-based training, stronger incident reporting systems, clear AI governance, and region-specific strategies to close Africa’s growing cybersecurity divide.