THE HUMAN FACTOR: CYBERSECURITY AWARENESS IN BUSINESS

Executive Summary

Cyber threats continue to intensify. Recent data show a sharp rise in phishing, ransomware, and business-email-compromise (BEC) attacks, with email-based phishing cited as the vector in over 75% of targeted attacks. Many organizations respond by expanding budgets and controls (e.g. 66% plan higher security spending, 63% have email security measures in place, and large firms report ~87% adoption of multi-factor authentication). Yet human factors remain critical: 68% of breaches involve the human element, and SMB studies find only 42% of small/mid-size businesses provide regular security training. Untrained staff are highly vulnerable (e.g. ~34% fail phishing tests). The analysis shows that continuous, adaptive awareness programs (phishing simulations plus role-based training) dramatically improve outcomes – for example, phishing incidents drop by ~86% under robust training. Key findings include: (a) sustained, multi-channel training (not just annual lectures) yields the best engagement; (b) small businesses and resource-limited sectors are lagging in readiness; and (c) organizations must track metrics (phish-click rates, reporting rates, incidents) to gauge and boost program effectiveness. Based on these insights, we recommend that businesses adopt ongoing, measurable awareness strategies (e.g. frequent simulations, microlearning, executive involvement, and clear reporting channels) to strengthen their security posture.

Introduction and Background

The cyber threat landscape is evolving rapidly. High-profile data breaches and ransomware waves have made headlines worldwide, and statistics confirm a mounting tide of attacks. Industry reports note a year-over-year increase of ~30% in average weekly attack volume. Email-based phishing remains the single largest entry point: over 75% of targeted cyberattacks start with a malicious email. Ransomware and extortion incidents have surged, now accounting for roughly two-thirds of financially motivated breaches. Business Email Compromise (BEC) continues to inflict major losses (Australian data show ~$84 million in BEC losses, ~$55K average per incident). The recent Verizon 2024 Data Breach Investigations Report (DBIR) found that the human element contributed to 68% of breaches, underscoring the importance of addressing user behavior.¹⁴

Businesses recognize cybersecurity as critical. Many are increasing budgets and adopting controls. For example, ThoughtLab and PwC data indicate 66% of organizations plan to boost cyber budgets, and 48% of firms use the ISO 27001 framework. Yet gaps remain: only ~29–34% of companies globally require multi-factor authentication, and fewer than half of SMBs conduct regular training. This gap between awareness and execution is especially stark in smaller firms, which often see cyberattacks but lack the resources to fully defend against them.⁹¹⁰

Awareness programs aim to close this gap by educating employees and changing behavior. Effective programs combine education, simulated exercises, and a culture of security. In this context, we examine the latest data on cyber threats and on the prevalence and impact of awareness initiatives. We highlight how well-designed training can measurably reduce incidents and identify where businesses – particularly certain sectors – still lag behind.

Data and Analysis

Figure 1: Selected cybersecurity statistics (2024). Fortra/Terranova compilation highlights: ~118 days average breach dwell time, 46% of companies cite CEO support as key to security culture, 44% of users reuse passwords, and education sector saw ~2,507 attacks per week in Q1 2024.²

• Threat Trends: Data show a clear upward trajectory of cyberattacks. In Q2 2024 organizations faced ~1,636 attacks per week (a 30% increase YoY). Phishing remains predominant – it is the vector in ~75% of targeted attacks – and even uses "https" sites in ~80% of malicious domains, making detection harder. Ransomware/extortion breaches account for ~60% of financially motivated attacks, with median losses ~$46,000 per incident. Emerging trends include increased "quishing" (QR-code phishing, up 25% in one year), deepfake vishing (30% of organizations report voice-phishing incidents), and multi-channel phishing (40% of campaigns now target apps like Teams or Slack). Business Email Compromise (BEC) is widespread: a recent industry survey found 64% of firms were hit by BEC in 2024, at ~$150K per incident on average. In summary, cyber threat data underscore that human-targeted attacks are pervasive and growing in sophistication.¹⁴¹²

• Adoption of Cybersecurity Measures: Businesses report increasing adoption of technical and organizational controls, though gaps remain. According to a broad 2024 survey, 63% of companies deploy email security tools and 46% regularly test incident response plans (e.g. quarterly drills). Nearly half (48%) use ISO 27001/27002 or similar frameworks, and 50% outsource security operations (SOC) functions. However, user-side defenses are less universal: one report finds only ~29% of companies had enterprise-wide multi-factor authentication enabled. Adoption is highly size-dependent – for example, ~87% of very large firms (10k+ employees) use MFA, but only ~34% of SMBs do. Table 1 summarizes key adoption statistics by measure:²⁷

  Measure/Initiative	Adoption/Metric	Source
  Regular security awareness training (SMBs)	~42% of SMBs provide regular cybersecurity training	CrowdStrike SMB Survey (2025)⁶
  Multi-factor authentication (MFA)	87% of large enterprises vs ~34% of SMBs use MFA	JumpCloud/ExpertInsights (2023)⁷
  Email security measures	63% of firms report using email filtering or security tools	Fortra (2024)²
  Incident response testing (quarterly)	46% of organizations test incidents response plans at least quarterly	Deloitte/Fortra (2024)²
  Business Email Compromise losses	$84M reported losses (Australia, FY2023–24)	ASD/ASCS (2024)¹

• Awareness Initiatives and Prevalence: Typical awareness programs include online training modules, phishing simulation exercises, posters/newsletters, and security campaigns (e.g. Cybersecurity Awareness Month). While exact adoption of these initiatives is hard to pin down, surveys indicate many businesses have some training but vary in quality. For example, a KnowBe4 study found that ~34.3% of untrained employees will click a phishing email (reflecting widespread baseline risk). In SMBs, the CrowdStrike survey noted nearly all leaders acknowledge cyber risk, but only 42% actually conduct regular training, highlighting a "high awareness, low execution" gap.⁶⁸

  Metrics for Effectiveness: Organizations track multiple indicators to assess training impact. Key metrics include phishing click/fail rates, reporting rates, incident counts, and training completion percentages. The 2024 Verizon DBIR reported that just ~20% of users report a simulated phishing email under routine training – a low baseline. Metrics from advanced programs show dramatic improvements: for instance, one security vendor reports that users' phishing-reporting rate (success rate) doubled from 34% to ~74–80% after a year of frequent adaptive training, while simulated click (failure) rates fell from 11% to <2%. Correspondingly, the expected annual number of phishing incidents in a 1,000-person company would drop from ~466 (with 20% click rate) to ~75 (with 3.2% click rate) – an ~86% reduction. Employee behavior surveys align with these figures: in one data set, ~60% of trained users reported simulated phishing emails (versus <20% before), indicating culture change. Other useful metrics include time-to-report (median ~21s to click a malicious link) and board-level understanding of security stats (only 23% of companies say their security metrics are well understood by senior leadership). In sum, combining incident statistics (breaches, near-misses) with user-level metrics (phishing response rates, training completion) provides a comprehensive view of program effectiveness.⁴⁵¹⁰

Key Findings

1. Human Risk Dominates: The majority of cyber incidents stem from human error or insider actions. Reports estimate ~68% of breaches involve human factors, and phishing/social engineering remain the most common vectors. Any effective defense must therefore focus on people as much as on technology.⁴
2. Training Dramatically Lowers Risk: Consistent evidence shows that well-designed awareness programs greatly improve security outcomes. For example, firms using frequent simulated phishing saw click rates plummet (~11%→<2%) and reporting jump (~34%→80%) over one year. This translated to ~86% fewer phishing incidents compared to static annual training. Other studies similarly note ~70% reductions in incidents with regular training (vendors) or that trained users are far more cautious. Metrics confirm the impact: organizations that track phishing susceptibility and train accordingly see continual improvement in click/report rates and reduced breaches.⁵
3. Active, Adaptive Programs Work Best: The most effective initiatives are continuous and engaging. Programs combining periodic phishing simulations with just-in-time microlearning, gamified content, and clear reporting channels achieve higher user engagement (often >60% reporting rate) and behavior change than once-a-year lectures. Tabletop exercises, role-specific training (e.g. finance staff trained on BEC scenarios), and positive reinforcement (recognizing "Cybersecurity Champions") further enhance results. In contrast, organizations that do only rudimentary training (e.g. annual slide decks) see little change: Verizon's benchmark found only 20% report phishing even after basic programs, and one survey noted incident rates were nearly identical whether firms had a formal plan or not.⁴⁵
4. Sectors Lagging Behind: Small and midsize businesses (SMBs) in particular are behind larger enterprises. Many SMBs have limited budgets and expertise: only ~42% have regular security training, and fewer than 15% of employees may receive any training. This leaves substantial exposure, especially as attackers increasingly target smaller firms. Certain industries also show shortfalls. For instance, healthcare and retail – despite being prime targets – have relatively few employees behind computers (lower reporting data) and often under-invest in training and controls. The Hoxhunt data indicate that finance, manufacturing, mining, healthcare and retail are most frequently attacked, suggesting those sectors must double down on awareness. In all lagging cases, lack of top management support and measurement makes it harder to justify investment (only 23% of companies say security metrics are understood at board level, and only 46% cite visible leadership support).⁶³¹⁰
5. Awareness Bolsters Overall Posture: Firms that cultivate a strong security culture – integrating awareness into everyday operations – enjoy broader benefits. Beyond reducing phishing clicks, such culture promotes faster incident reporting (reducing dwell time), better policy compliance (e.g. password hygiene), and even impacts risk management (60% of firms now consider cybersecurity in third-party decisions). In short, awareness initiatives not only prevent specific attacks, they strengthen vigilance and resilience across the organization. Conversely, neglecting people-centered defenses leaves the best technology undermined by that "one click" from an employee.¹⁰

Recommendations

To enhance cybersecurity via awareness, businesses should adopt a comprehensive, data-driven approach:

• Implement Continuous Training Cycles: Move beyond annual courses. Deploy periodic (e.g. monthly or quarterly) interactive training and phishing simulations. Use adaptive content that adjusts to user performance (e.g. Hoxhunt-style adaptive trainings showed reporting climb from 7% to ~60% in one year). Incorporate varied formats – micro-learning videos, quizzes, gamified challenges, and real-case study discussions – to maintain engagement.⁵
• Make Phishing Drills Realistic and Measurable: Regularly send simulated phishing emails (and SMS/quishing attempts) across the organization. Track click and report rates for different groups. Set concrete improvement targets (e.g. reduce phish-fall rates by X% per quarter). Share results (anonymized) and iterate content on most-missed traps. As benchmarks, aim for reporting rates well above 20% – best-in-class programs achieve ~60% – and failure rates under 5%.⁴
• Tailor Training to Roles and Context: Customize awareness content by department. Finance and HR, for example, should receive extra BEC/phishing focus (since BEC comprised ~25% of financial attacks). Technical staff need secure coding and configuration training; executives should get briefings on targeted attack trends. Also, address emerging threats relevant to your business (e.g. cloud credential theft, supply-chain malware). Reinforce lessons learned from actual incidents within the organization.¹²
• Engage Leadership and Foster Security Culture: Secure visible buy-in from executives. Encourage leaders to publicly support security initiatives (e.g. attend training launch, sign awareness communications). Highlight statistics linking culture to outcomes (e.g. 46% of firms say CEO support drives a security-conscious culture). Include security goals in business objectives (one vendor reports 46% of companies see increased executive support improving culture). Recognize positive behaviors (spotting a phish, reporting an incident) through shout-outs or rewards to reinforce a "vigilance culture".¹⁰
• Measure and Report Effectiveness: Define clear metrics from the outset. Track phishing click rates, reporting rates, training completion, incident numbers, and time-to-detect. Use dashboards or regular reports to show trends to stakeholders. Acknowledge improvements: for example, highlighting an 86% drop in simulated incidents after training builds trust. Use surveys or pre/post assessments to gauge knowledge gains. Adjust programs based on data: if a particular topic remains problematic, reinforce it.¹¹
• Integrate with Technical Controls: Awareness is one layer of defense. Complement it with strong technical measures: enforce MFA (especially since only ~29–34% currently do), deploy email/messaging filters, apply timely patches, and limit privilege access. Coordinate with IT to ensure that training teaches employees how these controls protect them (e.g. explaining the need for MFA prompts).⁷
• Leverage External Resources: Smaller organizations with limited budgets should use free or low-cost resources. Many governments (e.g. CISA, NCSC) and industry bodies offer training materials, posters, and exercise templates. Consider consortium programs or partnerships (for instance, Australia's ACSC provides free incident response guidance). Cyber insurance providers often subsidize training as well. The goal is to make awareness an affordable priority for all.¹
• Foster a Feedback Loop: Encourage employees to report suspicious emails and near-misses. Make it easy (dedicated "report phishing" button/email). Respond positively to reports to show the program is valued. Collect post-incident lessons (after a real phishing attempt) and share them in training to make learning concrete.⁵

By adopting these evidence-based practices – continuous, measurable training aligned with executive support and reinforced by technology – organizations can significantly improve their security posture. The data make clear that awareness is not a "nice-to-have" but a critical investment: firms with strong programs see far fewer successful attacks and are better prepared to catch threats early.

References

¹ Australian Signals Directorate (ASD) – Australian Cyber Security Centre. 2023–2024 Cyber threat trends: For businesses and organisations. (Government report, stats on cybercrime reports and losses.)

² Fortra (2024). 130 Cybersecurity Statistics: 2024 Trends & Data (TerraNova blog). (Compilation of industry surveys, covering attack vectors, budgets, frameworks, and user behaviors.)

³ Techaisle (2023). Global SMB & Midmarket Security Adoptions Trends (Blog). (SMB survey: only 32% of employees understand phishing, 15% had training.)

⁴ Verizon (2024). Data Breach Investigations Report (DBIR). (Industry-wide breach analysis; human element in 68% of breaches; phishing simulation and reporting metrics.)

⁵ Hoxhunt (2025). Phishing Trends Report. (Data from millions of simulated phishing campaigns: baseline click/report rates and improvements after training.)

⁶ CrowdStrike/CISA (2025). State of SMB Cybersecurity (via MSSP Alert). (Survey of <250-employee firms: 42% provide regular employee security training.)

⁷ Expert Insights (2023). MFA Statistics 2023. (Survey: 87% of >10k-employee firms use MFA; ~34% of SMBs do.)

⁸ KnowBe4 (2024). Phishing by Industry Benchmarking Report. (Finding: 34.3% of untrained users will fail a phishing test.)

⁹ Australian Signals Directorate (ASD). Australian Cyber Security Guide/Hotline statistics. (FY2023–24 cybercrime reports, BEC loss figures.)

¹⁰ ThoughtLab/PwC (2023). Global Cybersecurity Report. (Cited via Fortra: 118-day breach detection, CEO support statistic.)

¹¹ NIST Special Publication 800-50 (2003). Building an IT Security Awareness and Training Program. (Guidance on metrics for awareness programs.)

¹² Additional industry reports and news articles (e.g. Trend Micro, Deepwatch, Microsoft Digital Defense Report 2024, IBM/Ponemon Data Breach Study). (Where specific citations are not listed above, data drawn from these sources.)