Cybersecurity preparation in Africa called into question in recent KnowBe4 analysis
In a groundbreaking report, KnowBe4 Africa Human Risk Management Report 2025, has shed light on the alarming underestimation of human-centric cybersecurity risks in African organisations. The report underscores that despite growing cyber threats, many key industries may be overconfident about their cyber defences, overlooking the significant role human vulnerabilities play in enabling cyberattacks.
The report highlights that social engineering, including phishing, remains a primary vector for ransomware and other cyberattacks, which are rapidly increasing. KnowBe4’s research shows a 57.7% increase in ransomware payloads delivered through phishing attacks within a recent period, emphasising how attackers exploit human weaknesses rather than technical flaws alone.
This revelation underscores that human risk is often the weakest link in cybersecurity for African organisations, making them vulnerable despite investments in traditional technological defences. The report calls for a more adaptive defence strategy focused on strengthening user behaviour and human risk management, rather than relying solely on technical controls.
The report further reveals a gap between perception and practice in managing human-centric cyber risks. For instance, the rise of "shadow AI" - unsanctioned, unregulated use of AI tools by staff - is a red flag, with many employees using generative AI without guidance or oversight due to organisations still developing their AI policies.
East Africa has the highest number of organisations with AI governance policies in place, but lack of behavioural tracking in employees, combined with infrequent phishing simulations, prevents them from developing the reflexes needed to detect real threats.
The report also affirms that the human layer is not a flaw to fix, but a frontier to strengthen, as digital adoption accelerates across the continent. To address this, the report advocates for customizing training by role and risk exposure, measuring training impact with meaningful metrics, formalising and simplifying incident reporting processes, closing the AI governance gap, and contextualising strategies by region and sector.
Anna Collard, SVP Content Strategy & Evangelist Africa at KnowBe4, states that awareness is not enough, what matters is whether people know what to do when it counts. The report affirms that the human layer is not a flaw to fix, but a frontier to strengthen, as digital adoption accelerates across the continent, so must Africa’s ability to manage its most unpredictable security variable: human behaviour.
The report serves as a crucial wake-up call for African organisations to recognise and mitigate human-centric cybersecurity threats more effectively to protect their digital assets and operational resilience. Failure to address this underestimated human risk could lead to significant damages, aligning with global projections of ransomware costs reaching $275 billion annually by 2031.
- Despite heavy investments in technological defences, the report reveals that human risk is often the weakest link in cybersecurity for African organizations, making them vulnerable to cyberattacks.
- The report highlights a significant gap between perception and practice in managing human-centric cyber risks, emphasizing the need for a more adaptive defence strategy that focuses on strengthening user behavior and human risk management.
- To effectively address human-centric cybersecurity threats, the report suggests customizing training by role and risk exposure, formalizing and simplifying incident reporting processes, closing the AI governance gap, and contextualizing strategies by region and sector.
