KnowBe4 released a new report, Africa Human Risk Management Report 20251. The report reveals a mismatch between employer perceptions and employee experience of organisational cybersecurity in key African industries, with potentially costly consequences.
The report captures insights from cybersecurity decision-makers across 30 African countries. One of the biggest themes the survey uncovers is a mismatch between perception and reality; what employers believe is not necessarily what employees feel or experience.
In key growth industries across the continent, cybersecurity preparedness and the actual structures needed to support secure behaviour seem misaligned.
The report highlights, for instance, that just 10% of cybersecurity leaders are fully confident that staff would report a phishing attack or other cyberthreat, despite rating employee security awareness of cyberthreats at four out of five or higher. Furthermore, a significant perception gap exists between decision-makers and general employees in Africa regarding security awareness training, with 68% of leaders believing that training is tailored to roles, compared to only a third of employees feeling adequately trained.
This contrast is underscored by the data, which shows a difference between what leaders believe about the effectiveness of security awareness training and what employees actually experience. This is further emphasised by the fact that many organisations only conduct annual or biannual training that is too generic to effectively change behaviour, contributing to uncertainty about its effectiveness.
Previous end user-based responses2 revealed that only 43% of African respondents felt confident in their ability to recognise a cyberthreat, and just one in three believed their security awareness training was adequately tailored to their role. This comparison suggests the development of a dangerous perception gap in many organisations.
“There is a disconnect between what leaders think is happening and what employees are actually experiencing,” says Anna Collard, SVP content strategy & evangelist at KnowBe4 Africa. “The data shows that without procedural and cultural follow-through, awareness simply does not translate into readiness.”
The KnowBe4 Africa Human Risk Management Report 2025 offers a glimpse into human cyber risk, reflecting the real challenges – and overlooked opportunities – facing African organisations.
Key findings
• Confidence vs. awareness: While cybersecurity awareness is high, leaders express uncertainty about their workforce’s ability to act on that awareness. Many feel employees may overestimate their capabilities in recognising, reporting, and mitigating threats. Larger organisations face greater challenges as they tend to train less frequently (often biannually or annually) and have lower confidence in their employees’ incident response capabilities compared to smaller organisations.
• The need for adaptive and personalised security awareness training: Many organisations, across various sectors, fail to personalise security awareness training to specific roles or risk exposures. Sectors such as manufacturing and healthcare are particularly susceptible to using one-size-fits-all training approaches, where 50% and 40%, respectively, report no personalisation whatsoever. Tailoring addresses the specific needs and risks associated with different roles and sectors, resulting in more effective security awareness.
• Widespread BYOD usage: A large percentage of employees (between 41% and 80%) use their personal devices for work. The BYOD (Bring Your Own Device) trend introduces security risks because personal devices often lack adequate security measures. This can make organisations more vulnerable to breaches.
• AI policy development is lagging: Many organisations (46%) are still in the process of developing policies for using AI tools in the workplace. Without clear guidelines, employees might use AI in ways that create security vulnerabilities for their organisations. Establishing clear AI governance is crucial to mitigate these risks.
• Regional variation: Southern Africa trains more, East Africa governs AI better, and West/Central Africa sees the most human-related security incidents.
“This report reveals a critical paradox in African cybersecurity: while organisations feel aware and prepared, significant blind spots remain, especially concerning how they manage human risk,” Collard notes. “The continent’s cybersecurity posture may be more confident than it is truly resilient.”
The report concludes with a roadmap for turning awareness into action, including role-specific training, measurable outcomes, AI policy development and better reporting structures.
[Resources]
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version