Africa’s Cybersecurity Readiness Questioned in New KnowBe4 Report

KnowBe4  has released its Africa Human Risk Management Report 2025 , shedding urgent light on one of the continent’s most underestimated cybersecurity threats: its people. Despite increased digital awareness and investment in training, the report reveals that many African organisations remain dangerously overconfident—and structurally underprepared—in their ability to manage human-centric cyber risks.

The report, conducted in partnership with Red Ribbon Insights, captures insights from 124 senior cybersecurity decision-makers across 30 African countries. It identifies a widening gap between perception and practice—a chasm that could undermine Africa’s digital progress if left unaddressed.

Confidence Without Capacity

A majority of organisations rate their cybersecurity awareness levels at 4 out of 5. However, only 10% of leaders believe their employees would reliably report a suspicious email. This paradox underscores what KnowBe4 calls “the confidence gap.”

“If awareness is the foundation of cybersecurity, then action is its real-world expression,” the report states. “But this survey shows that confidence in the workforce’s ability to respond appropriately—to recognise, report, and mitigate threats—is often overestimated.”

Africa’s Risk Landscape: Uneven and Evolving

The report reveals striking regional contrasts across Africa’s cybersecurity terrain:

• North Africa leads in BYOD exposure, with up to 80% of employees using personal devices for work, yet lags in training frequency and incident reporting.

• East Africa emerges as a relative leader, with 50% of organisations having AI governance policies in place—the highest on the continent.

• Southern Africa trains most frequently (44% conduct quarterly training) but has the weakest AI oversight, with over 56% reporting no AI policies.

• Central and West Africa report the highest rate of human-related incidents, with up to 75% of security incidents traced to employee behaviour.

This diversity in risk exposure underscores the need for locally responsive strategies. As the report notes, “Resilience isn’t one-size-fits-all—and strategies shouldn’t be either.”

The Training Illusion

Despite widespread implementation of security awareness training (SAT), over 41% of organisations struggle to measure its effectiveness. Role-based alignment remains largely aspirational—while 68% of respondents claim to customise training by job function, many admit the reality often falls short.

The situation is especially dire in sectors like manufacturing and healthcare, where over 40% report using generic training programs that fail to address specific risks.

KnowBe4 warns that this lack of behavioural tracking, combined with infrequent phishing simulations (only 7% conduct them monthly), prevents employees from developing the reflexes needed to detect real threats.

Structural Blind Spots: Shadow AI and Reporting Failures

The rise of “shadow AI”—unsanctioned, unregulated use of AI tools by staff—is another red flag. With 46% of organisations still developing their AI policies, many employees are left using generative AI without guidance or oversight.

The report also highlights a glaring lack of formal incident reporting procedures. “Employees may be aware of the importance of reporting, but the absence of clear, enforced processes leaves room for inconsistency and inaction,” it warns.

This disconnect between awareness and readiness is compounded by differing perceptions between executives and frontline workers. While 50% of leaders believe their staff are prepared, only 43% of employees say they feel confident identifying a threat, according to a comparative survey conducted last year.

“The findings confirm what many of us in the industry have long suspected—organisations are doing the right things in principle, but in practice, they’re not going far enough. We need a mindset shift. Awareness is not enough. What matters is whether people know what to do when it counts.”

–Anna Collard, SVP Content Strategy & Evangelist Africa, KnowBe4. 

The Path Forward: From Awareness to Action

The report concludes with five key recommendations for African organisations:

1. Customise training by role and risk exposure

2. Measure training impact with meaningful metrics

3. Formalise and simplify incident reporting processes

4. Close the AI governance gap

5. Contextualise strategies by region and sector

“The human layer is not a flaw to fix, but a frontier to strengthen,” the report affirms. As digital adoption accelerates across the continent, so must Africa’s ability to manage its most unpredictable security variable: human behaviour.