A new report by KnowBe4, in partnership with Red Ribbon Insights, has exposed a critical gap in Africa’s cybersecurity defences. While organisations believe they are prepared, many remain dangerously vulnerable to human-centric cyber risks. The report revealed that Southern African countries conduct the most frequent training (44% quarterly) but has the weakest AI oversight (56% lack AI policies).
The Africa Human Risk Management Report 2025, which surveyed 124 senior cybersecurity decision-makers across 30 African countries, highlights a troubling disconnect between perceived readiness and actual preparedness. Despite increased digital awareness and training investments, only 10% of leaders trust their employees to reliably report a suspicious email even as most rate their cybersecurity awareness at 4 out of 5.
By Gamuchirai Mapako
Anna Collard, SVP Content Strategy and Evangelist Africa at KnowBe4, warns that awareness alone is insufficient.
“The findings confirm what many of us in the industry have long suspected organisations are doing the right things in principle, but in practice, they’re not going far enough. We need a mindset shift. Awareness is not enough. What matters is whether people know what to do when it counts, she said.”
This overconfidence is particularly alarming given Africa’s evolving threat landscape, where human error remains a leading cause of breaches.
The report also reveals stark regional differences with North Africa leading in BYOD (Bring Your Own Device) exposure that is to say 80% of employees use personal devices. However it lags in training and incident reporting.
East Africa emerges as the leader, with 50% of organizations having AI governance policies, the highest on the continent. Central and West Africa reports the highest human-related incidents (75%), with most breaches traced to employee behaviour.
While Security Awareness Training (SAT)is widely implemented, 41% of organisations struggle to measure its effectiveness. Many rely on generic programs, especially in high-risk sectors like healthcare and manufacturing.
As per the report only 7% conduct monthly phishing simulations, leaving employees unprepared for real-world threats.
A growing concern is shadow AI employees using unsanctioned AI tools without oversight. With 46% of organisations still developing AI policies, this creates unchecked vulnerabilities.
The report also highlights weak incident reporting structures, with many employees unsure of how or when to report threats.
It is therefore important to conduct role-specific training tailored to risk exposure, introduce simplified, formalised reporting processes, stronger AI governance policies and region and sector-specific strategies.
“The human layer is not a flaw to fix, but a frontier to strengthen,” the report concludes.
Organizations must move beyond awareness and into action to secure their most unpredictable risk factor; people.
Comments