Key takeaways
- Phishing remains the leading attack vector: 51% of employees lack phishing training, and new hires are significantly more likely to click malicious links, especially under pressure or within their first 90 days.
- Security awareness gaps are widespread: 67% of decision-makers report employees lack basic security awareness, while 18% have never received training, and only 7.5% of organizations use adaptive training programs.
- Identity-based attacks are rapidly increasing: Identity attacks rose 156%, with 90% of breaches linked to phishing or credential stuffing and 60% of incident response cases involving identity-related threats.
- Insider threats are costly and growing: Insider incidents cost $17.4 million annually, with 55% caused by negligence and 25% by malicious insiders, alongside increasing risks in hybrid work environments.
“Oops, I clicked on that link.”
Heard that expression before? Hopefully, not that often, if at all, but statistics would prove you otherwise.
Phishing remains the most common entry point for attackers, who continue to exploit employee weaknesses as their primary target. For a busy HR or finance director, it may not be second nature to check the email header or verify the sender domain, but that single mistake can wind up costing the organization millions in a breach.
But phishing is only one part of the problem.
AI has made social engineering and business email compromise (BEC) attacks far more sophisticated and complex to detect. Without the proper security awareness training, such as routine phishing simulations or regular password rotation, employees are far more likely to fall for these attacks.
In honor of Cybersecurity Awareness Month, here are 40 employee security awareness statistics every MSP should read twice, because one wrong click could cost your client a massive breach.
Security Training Awareness
- Only 7.5% of organizations report having adaptive training programs based on regular security awareness test results. Hornetsecurity
- Nearly a fifth (18%) of employees have never received cybersecurity training. TechRadar
- 67% of decision makers say employees lack basic security awareness. Fortinet’s 2024 Security Awareness and Training
- 49% of US senior tech leaders rely on employee quiz results to measure training effectiveness. Infrascale
- 39.3% of employees reported that the IT security awareness training provided by their organizations is not up-to-date, particularly concerning the capabilities needed to combat AI-powered cyberattacks. Hornetsecurity
- 45% of IT leaders recommend ongoing security training to strengthen employee password practices and overall awareness. Businesswire
- 31% of organizations reported that human resource constraints kept them from rolling out security awareness and training programs. Fortinet’s 2024 Security Awareness and Training
- 41% of US senior technology leaders say IT provides occasional input in developing or selecting security training material. Infrascale
- 62% of organizations expect employees to be targeted by more cyberattacks in the future due to the malicious use of AI by threat actors. Fortinet
- 37% of security professionals cite insufficient employee training and awareness as the largest perceived driver of insider threat activity. StationX
- Only 10% of employees are responsible for nearly three-quarters (73%) of all risky behavior. Living Security
- 34% of decision-makers believe that dedicating 1.1 to 2 hours is a sufficient amount of time for employees to spend on security awareness and training. Fortinet’s 2024 Security Awareness and Training
Phishing: The #1 Threat Vector for Employees
- 51% of employees have not received any training on how to avoid phishing scams. TechRadar
- Over half of IT professionals (52.3%) said that users tend to ignore or delete identified email threats without properly reporting them. Hornetsecurity
- 71% of new hires are more likely to click on phishing links within their first 90 days of employment. Help Net Security
- New hires were 45% more likely than experienced staff to click on phishing emails that impersonated the CEO. Help Net Security
- Employees under tight deadlines are three times more likely to click phishing emails. Keepnet Labs
- 53% of US senior tech leaders say employees are the least prepared to handle phishing threats. Infrascale
Identity: The New Risky Perimeter
- Identity-driven attacks have increased by a staggering 156% between 2024 and Q1 2025. Infosecurity Magazine
- Identity-based attacks accounted for 60% of all Incident Response (IR) cases. Cisco
- 68% of IT managers say employee motivation is the biggest challenge in remediating at-risk credentials. Businesswire
- Over a third (36%) of employees using personal devices for work admitted to postponing security updates. Forbes
- Phishing attempts account for almost two-thirds of identity-related incidents. The State of Identity Security for 2024
- 28% of IT leaders cited compromised credentials as the leading cause of insider threats. Rubrik Zero Labs
- Compromised privileged identities accounted for 33% of security incidents in 2024. The State of Identity Security for 2024
- 90% of identity breaches are caused by phishing or credential stuffing. Rubrik Zero Labs
- 20% of identity compromises are attributed to cloud applications and APIs. Cisco
- 21% of employees intentionally accessed data through unauthorized devices. Kaspersky
The Rise of Insider Threats
- Insider threats cost organizations $17.4M annually, up from $16.2M in 2023. 2025 Ponemon Insider Threat Report
- 20% of malicious insider actions were intentionally carried out by employees for personal gain. Kaspersky
- 25% of security incidents are caused by malicious insiders. 2025 Ponemon Insider Threat Report
- 17% of all sensitive files are accessible to all employees. Varonis
- 55% of incidents originate from negligent or mistaken insiders, costing organizations $8.8M annually. DataPatrol
- There has been a 28% average increase in the number of insider-driven events since 2021. Mimecast
- 91% of information security leaders believe employees are likely to exfiltrate corporate data by accessing cloud systems. Cybercrime Magazine
- 70% of cybersecurity professionals are concerned about insider risks in hybrid work environments. 2024 Insider Threat Report
Why Invest in Employee Security Training
- Studies show that ongoing security awareness training can reduce the risk of employee-driven cyber incidents by up to 72%. Secnap
- Organizations that implement a security awareness program see a significant drop in phishing susceptibility. 90 days of training can reduce risk by over 40%. KnowBe4
- 89% of security leaders report improvements to their organization’s security posture
after implementing security awareness and training. Fortinet
- Effective security awareness training reduces the likelihood of a breach by 65%. KnowBe4
Secure Your Employees with Guardz
“I wish I had invested more time in employee security awareness training.”
You don’t want to be the one regretting those words. With Guardz security awareness training, you won’t have to. Guardz helps you plan, launch, and track automated training campaigns that keep employees informed and vigilant against evolving cyber threats.
Customize training templates and set measurable goals to address risky behaviors such as clicking on phishing emails or reusing passwords. Measure employee security awareness monthly, bi-monthly, quarterly, or annually.
Build a culture of security awareness with Guardz.
Schedule a demo today to learn more.
