Subscribe
About

African industries dangerously overestimating cyber defences

Christopher Tredger
By Christopher Tredger, Portals editor
Johannesburg, 04 Jul 2025
Anna Collard, SVP, content strategy and evangelist at KnowBe4 AFRICA.
Anna Collard, SVP, content strategy and evangelist at KnowBe4 AFRICA.

Many businesses are overestimating their defence against cyber attacks, which creates a significant human risk blind spot. A new KnowBe4 report exposes a worrying disconnect between what leaders think about their cyber security readiness and what employees experience.

According to the KnowBe4 Africa Human Risk Management Report 2025, based on insights from cyber security decision-makers across 30 African countries, despite high awareness, a critical gap exists in turning that awareness into actual readiness and resilient behaviour.

Key findings from the KnowBe4 Africa Human Risk Management Report 2025:

  • Confidence vs awareness: While cyber security awareness is high, leaders express uncertainty about their workforce's ability to act on that awareness. Many feel employees may overestimate their capabilities in recognising, reporting and mitigating threats.
  • The need for adaptive and personalised security awareness training: Many companies fail to personalise security awareness training to specific roles or risk exposures.
  • Widespread BYOD usage: A large percentage of employees (between 41% and 80%) use their personal devices for work.
  • AI policy development is lagging: Many companies (46%) are still in the process of developing policies for using AI tools in the workplace.
  • Regional variation: Southern Africa trains more, East Africa governs AI better and West/Central Africa sees the most human-related security incidents.

This gap is significant because Africa has become an attractive target to cyber criminals, especially those that launch AI-powered attacks. A LexisNexis Risk Solutions study found 60% of South African organisations have seen an increase in AI-facilitated financial crime – above the 56% global average.

Kehinde Popoola, regional manager and key representative for West and East Africa at Rubrik, said digital transformation is gaining momentum in Africa and companies are more exposed to cyber risk. The Rubrik executive adds that amid an increase in threats, it is crucial that organisations adopt an assumed breach mindset.

The KnowBe4 research shows that cyber security preparedness and the actual structures required to support secure behaviour seem misaligned.

The report highlights that just 10% of cyber security leaders are fully confident that staff would report a phishing attack or other cyber threat, despite rating employee security awareness of cyber threats at four out of five or higher.

There is also a significant perception gap between decision-makers and general employees in Africa regarding security awareness training, with 68% of leaders believing that training is tailored to roles, compared to only a third of employees feeling adequately trained.

KnowBe4 asserts that many organisations only conduct annual or biannual training that is too generic to effectively change behaviour, contributing to uncertainty about its effectiveness.

According to another report, the KnowBe4 African Cybersecurity and Awareness Report 2025, which focuses on end-user based responses, only 43% of African respondents felt confident in their ability to recognise a cyber threat, and just one in three believed their security awareness training was adequately tailored to their role. This comparison suggests the development of a dangerous perception gap in many organisations.

“There’s a disconnect here – between what leaders think is happening and what employees are actually experiencing,” says Anna Collard, SVP content strategy and evangelist at KnowBe4 Africa. “The data shows that without procedural and cultural follow-through, awareness simply doesn’t translate into readiness.”

“The continent's cyber security posture may be more confident than it is truly resilient,” Collard adds.

Share