A new report from KnowBe4 Africa highlights a significant gap between perceived and actual cybersecurity readiness among African organisations.
The 2025 Africa Human Risk Management Report, based on a survey of 124 decision-makers across 30 countries, underscores that awareness does not always translate into resilience.
The survey found that over 41% of organisations struggle to measure the effectiveness of their security awareness training (SAT), despite widespread investment in such programmes. Only 10% of respondents expressed full confidence that their employees would report suspicious emails or threats, exposing a critical weakness in incident response readiness.
Notably, while 68% of organisations claim to tailor SAT by role, the second-most cited challenge remains aligning training to specific roles and risks.
Larger enterprises, in particular, reported lower training frequency and confidence levels than smaller firms, suggesting that growth can dilute effective governance if not carefully managed.
The report identified five key fault lines in Africa’s cyber readiness:
- Overconfidence versus reality: High awareness but low readiness to act effectively during incidents.
- Unmanaged BYOD and shadow AI risks: Widespread use of personal devices and unregulated AI tools without sufficient controls.
- Ineffective training: One-size-fits-all approaches that fail to impact behaviour or meet role-specific needs.
- Blind spots in large enterprises: Lower training frequency and weaker oversight as companies grow larger.
- Stark regional contrasts: Significant differences in strengths and weaknesses across African regions, requiring tailored strategies.
Regional findings:
- North Africa: Highest BYOD exposure (61–80% of employees) and lowest training frequency, suggesting elevated operational risks.
- East Africa: Proactive AI governance, with 50% of organisations already implementing AI policies.
- Central and West Africa: Highest proportion of human-related security incidents (51%–75%), highlighting a critical need for stronger mitigation strategies.
- Southern Africa: Leads in training frequency (44% conduct quarterly sessions) but lags in AI governance, with 56% reporting no AI policies in place.
Another pressing issue is the fact that phishing simulations are underutilized.
According to KnowBe4, only 7% of African organisations conduct them monthly, with most limiting tests to one or two times a year. This low frequency undermines employees’ ability to recognise real threats consistently, as highlighted by the “prevalence effect,” which shows rare events are often overlooked.
Furthermore, 46% of organisations admitted their AI policies remain “in development,” raising concerns about unregulated use of AI tools and their potential misuse.
Incident reporting procedures also remain underdeveloped, with many organisations lacking formalised, trusted mechanisms for employees to report potential threats.
Senior executives tend to focus on strategic gaps such as AI oversight and incident reporting, whereas managers and security staff emphasise day-to-day training and implementation challenges.
The report recommends that African organisations adopt role-specific and measurable training programmes, formalise reporting structures, close the AI governance gap, and adapt strategies to regional and sectoral contexts. These measures aim to align perceived awareness with effective, actionable practice.
KnowBe4, which provides the world’s largest security awareness training and simulated phishing platform, emphasises that the human element remains both the greatest vulnerability and the strongest potential defence.
As the report concludes, “Awareness is only the beginning. The future of Africa’s cybersecurity depends on the actions that follow.”
Also from KnowBe4:
About Author
