The most successful phishing tactic of 2025 is s a simple e-mail disguised as an internal message from HR or IT. This is according to KnowBe4’s Q2 2025 Phishing Report, which claims 98.4% of the most clicked phishing simulations were disguised this way.
The reason cyber security training is so important for CHROs and HR professionals is that HR holds the personal, and financial details of employees.
If they are unaware of security risks, the HR teams themselves may become an easy entry point for cyberattacks. Thus, enabling HR with relevant skills to protect sensitive employee data as well as identify threats is necessary and crucial in the current digitized world we are living in.
When HR professionals are well informed and trained in cyber security, they would play an important role in enhancing the overall security posture of an organization, ensuring that the cyber security training of HR professionals doesn’t break in compliance, shows trust in employees and stakeholders, and ensuring sensitive information is protected.
KnowBe4 says HR has emerged as the top lure in SA and globally, with topics like performance reviews and policy updates, which accounted for 42.5% of all successful phishing clicks.
Another report by the company, KnowBe4’s Africa Human Risk Management Report, found that while leaders rate security awareness highly (typically 4/5), only 10% are fully confident their teams would actually report a suspicious e-mail.
This highlights a dangerous disconnect between perceived awareness and real-world readiness, according to KnowBe4.
Anna Collard, SVP content strategy and CISO advisor at KnowBe4, said: “Attackers understand that employees are conditioned to respond quickly to internal requests. The psychological sophistication behind these attacks demonstrates why human risk management must be central to cyber security strategy.”
According to Forrester, human risk management (HRM) adoption has shifted from “innovative organisations” and is now fast approaching the early majority. The trend indicates that while mass adoption has not yet been reached, the practice is gaining significant traction, with most organisations expected to adopt HRM platforms and methodologies by late 2026.
Collard added: “South Africa’s cyber industry is quite tight and well-connected, and when something makes sense then it spreads quickly. For that reason, I believe SA is catching up fast in HRM adoption, with growing recognition that these systems can strengthen culture and efficiency.
The key is balancing innovation with compliance, ensuring POPIA readiness, seamless integration with legacy systems and a people-first approach so employees trust and embrace the change.”
Bigger security blind spots
KnowBe4’s 2025 Africa Human Risk Management Report reveals that as organisations scale, their human-centric security governance appears to weaken, creating significant business risk.
The company’s research shows leaders at large organisations (501+ employees) report lower confidence in their employees’ ability to respond to incidents compared to smaller companies.
It also reveals the attribution of incidents to human error shows a massive variance across Africa, ranging from a median of 11%-25% in southern Africa to 51%-75% in West and Central Africa.
A one-size-fits-all approach to risk is failing, the company added.
According to KnowBe4, the top challenge for leaders is the difficulty in measuring if security training actually works. This problem intensifies at scale, leaving large enterprises investing in training without knowing if it’s effective.
(Courtesy: www.itweb.co.za)
