African firms overestimate cyber defences as human risk gap widens

From weak training to unregulated AI use, a new KnowBe4 study finds African organisations are mistaking awareness for true resilience. Experts say companies must urgently bridge the gap between perception and reality before costly breaches strike.

By Nhlanhla Muthe

African organisations are facing a silent cybersecurity crisis, while leaders believe their teams are well-prepared, employees report a very different reality. A new KnowBe4 study warns that this perception gap could leave businesses across the continent dangerously exposed to costly breaches.

The KnowBe4 Africa Human Risk Management Report 2025 shows that while cybersecurity awareness is considered high across industries, confidence in employees’ ability to act on threats remains alarmingly low. The survey, covering decision-makers in 30 African countries, found that only 10% of leaders are fully confident staff would report a phishing attempt, despite most rating employee cyber awareness at four out of five or higher.

Anna Collard, Senior Vice President of Content Strategy & Evangelist at KnowBe4 Africa., has warned that there’s a disconnect between what leaders think is happening, and what employees are actually experiencing.

“The data shows that without procedural and cultural follow-through, awareness simply doesn’t translate into readiness,” said Collard.

The report highlights how many organisations still rely on generic, once-a-year training sessions, leaving employees uncertain and underprepared. While 68% of leaders believe training is tailored to staff roles, just a third of employees agree. This gap is even starker in sectors like manufacturing and healthcare, where half of organisations admit to offering no role-specific training at all.

Africa’s fast adoption of bring your own device (BYOD) policies also heightens the risks. Between 41% and 80% of employees are using personal devices for work, often without robust security protection. Meanwhile, nearly half of organisations are still drafting workplace AI usage policies, creating fresh vulnerabilities.

“This report reveals a critical paradox in African cybersecurity: while organisations feel aware and prepared, significant blind spots remain, especially concerning how they manage human risk. The continent’s cybersecurity posture may be more confident than it is truly resilient,” added Collard.

KnowBe4’s report urges organisations to bridge the perception gap with personalised training, clear AI governance, and stronger reporting mechanisms. With human error still the biggest entry point for cyberattacks, experts warn African businesses can no longer afford to confuse awareness with readiness.