Search
Free Trial

Hongke's latest articles

HongKe

Hongke Solutions] Employees are the biggest security asset: KnowBe4 helps organizations avoid human risks

Phishing attacks are evolving at an unprecedented rate, and KnowBe4, the world's largest security awareness training platform, has been tracking phishing trends for a long time through the 14.5 million users, 62,400 organizations and 67.7 million simulated fishing tests The data provides companies with the most authoritative Phish-Prone Percentage (PPP) and risk insights.

This year's report shows that the global average failure rate of first tests is as high as 33.1%The breakdown by industry shows that medical, insurance and retail industries are the most vulnerable to attacks. Meanwhile, AI-generated phishing emails and spoofed emails from internal accounts have become more insidious, posing a more serious challenge to traditional technical defense.

For companies, insufficient staff development, increased cross-border factors and lack of localized fishing simulations further increase the risks. The challenge for companies is not only technical, but also about employee behavior and safety culture. Getting to grips with key data and trends is the first step in developing a training strategy.

Core Data Insights

Comparison of Global PPP and Industry

In the first stage, before any SAT testing, the baseline phishing vulnerability rate (PPP) for global businesses was 33.1%In other words, one in three employees is vulnerable to phishing emails and social engineering attacks.

  • Global Data PPP: 33.1%, with about one-third of the workforce vulnerable.

Digging deeper, we found that more than half of the industries (10 out of 19) have PPP First Test averages above this baseline. For organizations of all sizes, the following industries are the most at risk:

  • Industry Comparison (First Test Failure Rate)::
  • Medical and Health Care: 41.9%
  • Insurance: 39.2%
  • Retail & Wholesale: 36.5%

The data shows that employees in highly sensitive information industries and customer-facing interactive business operations are more likely to be targeted, with significantly higher than average failure rates at first detection. Only five industries had PPPs below 301 TP3T, and even then, more than a quarter of employees were vulnerable to phishing attacks: Transportation (29.91 TP3T), Business Services (29.61 TP3T), Consumer Services (29.51 TP3T), Legal (28.51 TP3T), and Government (28.21 TP3T).

The bigger the business, the greater the risk

On average, having More than 10,000 employees The company's PPP is as high as 40.5%Ownership 1,000-9,999 staff The corporate PPP for 33.7%Ownership 250-999 staff The corporate PPP for 28.7%; in contrast, only 1-250 staff The corporate PPP for 24.6%The

This phenomenon is illustrated by the fact that the more people there are, the more emails there are, and the more fingers there are to click on the links. And it's harder to raise a collective consciousness among more people. The risk profile varies by industry and organization size, but collectively, the greatest risks are concentrated in the larger enterprises.

Phishing Risks Likely to Decline and Remain Low

The good news is that after just 90 Days of Best Practices TrainingThe risk of phishing can be significantly reduced across all industries. The global average click-through rate per five employees (19.81 TP3T) can be reduced by Over 40%The

The situation continues to improve:12 months laterAverage PPP declines 86% to 4.1%This downward trend will continue. With continued training, the average PPP could be reduced to $4.5 billion in two years' time. 3.7%In three years' time, it could even be reduced to 2.6%This trend of decline has been observed in all sectors. This downward trend has been observed in all sectors.

Corporate Training Effectiveness Analysis

Enterprise Size Number of workers Baseline PPP (First Test Failure Rate) Average improvement rate (SAT one year later) High Risk Sector (Baseline PPP ≥30%) Industries with the Most Outstanding Training Effectiveness and Data
Large Enterprises 1,000-10,000 33.7% 87% Healthcare & Pharmaceuticals (41.1%), Banking (39.5%), Financial Services (38.4%), Energy & Utilities (37.2%) Medical & Pharmaceuticals, Hospitality, Legal: 91% improvement rate; Legal SAT lowest click-through rate after one year 3.1%
Medium-sized Enterprises 250-999 28.7% 86% Nonprofit (31.7%), Insurance (31.6%), Healthcare & Pharmaceuticals (31.4%), Retail (31.5%), Banking (30.4%), Consumer Services (30.1%) Banking click rate down 91.8% (to 2.5%), Transportation 89%, Energy & Utilities 88%, Manufacturing 87%, Transportation 87%, Financial Services 87%
Small Business 1-249 24.6% 85% Nonprofit (27.5%), Insurance (26.9%), Healthcare & Pharmaceuticals (26.6%), Retail (26.5%) Banking hit rate down to 21 TP3T (down 901 TP3T); Energy & Utilities, Transportation, Construction, Education all at 871 TP3T

Form Instructions:

  • The higher the baseline PPPThe more risky it is to click on a phishing link in the first test, the more risky it is to click on a phishing link in the first test.
  • Average Improvement RateThis is the overall effect of the 12-month training.
  • High Risk IndustriesIndicates sectors with higher baseline PPP.
  • Industry with the most outstanding training effectShows the data with the greatest decrease in risk or the lowest hit rate after SAT.

While large enterprises are rich in training resources and can make more significant improvements, small and medium-sized enterprises rely on tools and automation templates to make up for the lack of training coverage.

Asia Pacific Data

  • First Test Failure Rate: 28.6%
  • After 12 months of continuous training: down to 5.2%
  • Training Effect: Decrease in click-through rate 81.8%

The Asia-Pacific data confirms the effectiveness of continuous training and phishing simulations; it also reminds companies not to overlook regional differences and localization needs.

Phishing Attack Trends

  • Total Fishing Email Growth 17.3%
  • Overview of Microsoft's Native Defenses and Secure Mail Gateway Attack Growth 47%
  • 82.6% Fishing Mail Use AI Content Generation
  • Increasingly stealthy attacks, including fake internal emails, imitation of high-level approvals or financial audit requests

AI interventions have made phishing emails more realistic and difficult to recognize even for trained security professionals. In the next two years, some traditional detection mechanisms may become ineffective.

Solution Direction: KnowBe4 Value Realization

Continuous Training and Simulated Fishing

  • Through a 12-month training program, the Global PPP was organized by 33% down to 6%
  • Asia Pacific PPP by 28.6% Decreased to 5.2%
  • Significantly reduce the risk of employees clicking on malicious links and improve the overall level of security protection.

Multi-language and automation template update

  • Supports cross-border training in multiple languages, covering multiple forms of expression and multiple security scenarios.
  • Automatically generates the latest fishing scene templates to quickly cover emerging attack techniques.

AI Scene Generation

  • Generate more realistic and targeted fishing simulations
  • Enhancement of staff identification skills to bring training closer to real-life attack scenarios

KnowBe4 is more than just "training"!

  • Coverage of 35+ languages with focus on compliance, attack identification and risk response
  • Built-in AI fishing simulation system to automatically generate customized test scenarios
  • Strong behavioral analysis mechanism to achieve personalized feedback and retraining
  • Fully automated training process, greatly simplifying the management process
  • Seamless integration with HRIS, security gateways, etc.
Go to KnowBe4 Product Page

Other Articles
Hongke Case

HongKeys Solution] How to land CRA compliance? Network security engineer perspective to bring you to understand the logic of compliance and ONEKEY security and compliance platform value.

With the EU's Cyber Resilience Act (CRA) coming into force, product security and supply chain transparency have become mandatory requirements for companies entering the European market, with the CRA requiring manufacturers to establish security mechanisms throughout the entire product lifecycle and to provide SBOM, vulnerability management, and evidence of compliance. With the gradual implementation of the EU Cyber Resilience Act (CRA), product security and supply chain transparency has become a mandatory requirement for enterprises to enter the European market, and the CRA requires manufacturers to establish a security mechanism throughout the product lifecycle and provide SBOM, vulnerability management, and evidence of compliance. The ONEKEY Safety and Compliance Platform helps enterprises to quickly complete compliance diagnosis and vulnerability management, and establish a traceable and verifiable product safety and compliance system.

Read more
HongKeTechnology March 11, 2026
Hongke Case

Hongke Solution] Making Compliance Training a "Quantifiable Line of Defense": Using KnowBe4 to Connect the Safety Awareness + Compliance Training Chain

In the context of digital transformation and increasing regulatory requirements, it is often difficult for enterprises to truly reduce human risk if they still manage compliance training and information security awareness training separately, KnowBe4 establishes a closed-loop management model of "test, train, retest, and data feedback" through simulated phishing tests, security awareness training, and the Compliance Plus compliance training library. Enterprises can integrate compliance courses and safety training into end-to-end training governance, and establish a quantifiable, traceable and auditable compliance training system.

Read more
HongKeTechnology March 11, 2026
Hongke Case

From 60% to 5%: How Anglo-Eastern built a network security defense in a year's time

Anglo-Eastern Ship Management is a global ship management company managing more than 750 vessels. Faced with more than 32,000 seafarers around the world and the ever-increasing risk of cyberattacks, the company deployed the KnowBe4 HRM+ security awareness training platform to implement continuous employee cybersecurity education and simulated phishing tests. In just one year, the susceptibility rate to phishing attacks dropped from 60% to 5%, the training completion rate exceeded 90%, and employees proactively reported about 200 suspicious emails per day.

Read more
HongKeTechnology March 11, 2026
close menu icon

Contact Hongke to help you solve your problems.

Let's have a chat