Many businesses are overestimating their defence against cyber attacks, which creates a significant human risk blind spot. A new KnowBe4 report exposes a worrying disconnect between what leaders think about their cyber security readiness and what employees experience.
According to the KnowBe4 Africa Human Risk Management Report 2025, based on insights from cyber security decision-makers across 30 African countries, despite high awareness, a critical gap exists in turning that awareness into actual readiness and resilient behaviour.
This gap is significant because Africa has become an attractive target to cyber criminals, especially those that launch AI-powered attacks. A LexisNexis Risk Solutions study found 60% of South African organisations have seen an increase in AI-facilitated financial crime – above the 56% global average.
Kehinde Popoola, regional manager and key representative for West and East Africa at Rubrik, said digital transformation is gaining momentum in Africa and companies are more exposed to cyber risk. The Rubrik executive adds that amid an increase in threats, it is crucial that organisations adopt an assumed breach mindset.
The KnowBe4 research shows that cyber security preparedness and the actual structures required to support secure behaviour seem misaligned.
The report highlights that just 10% of cyber security leaders are fully confident that staff would report a phishing attack or other cyber threat, despite rating employee security awareness of cyber threats at four out of five or higher.
There is also a significant perception gap between decision-makers and general employees in Africa regarding security awareness training, with 68% of leaders believing that training is tailored to roles, compared to only a third of employees feeling adequately trained.
KnowBe4 asserts that many organisations only conduct annual or biannual training that is too generic to effectively change behaviour, contributing to uncertainty about its effectiveness.
According to another report, the KnowBe4 African Cybersecurity and Awareness Report 2025, which focuses on end-user based responses, only 43% of African respondents felt confident in their ability to recognise a cyber threat, and just one in three believed their security awareness training was adequately tailored to their role. This comparison suggests the development of a dangerous perception gap in many organisations.
“There’s a disconnect here – between what leaders think is happening and what employees are actually experiencing,” says Anna Collard, SVP content strategy and evangelist at KnowBe4 Africa. “The data shows that without procedural and cultural follow-through, awareness simply doesn’t translate into readiness.”
“The continent's cyber security posture may be more confident than it is truly resilient,” Collard adds.
Share