Africa’s cybersecurity landscape presents a paradox: a widespread belief in preparedness among organisations, although significant blind spots continue to exist, particularly concerning their human layer – their employees. The KnowBe4 Africa Human Risk Management Report 2025, drawing insights from 124 senior cybersecurity decision-makers across 30 African countries, uncovers several concerns in the continent’s cyber readiness.
The Confidence Gap
The report reveals a confidence gap between what leaders perceive about their employees’ cybersecurity readiness and the actual reality. While many decision-makers rate employee security awareness highly, their confidence in employees reliably reporting incidents do not align, with only 10% expressing full confidence. This suggests that despite leaders believing their workforce is aware, there’s a difference in whether that awareness translates into real-world vigilance and action, pointing to an overestimation of employee readiness.
The Surge of Unmanaged Risk
The Bring Your Own Device (BYOD) trend is rampant, with up to 80% of employees using personal devices for work. Adding to this, 46% of organisations admit that their AI policies are still in development, leaving them susceptible to unchecked risks from unregulated AI tool usage, often referred to as shadow AI. North Africa, notably, shows the highest BYOD exposure but has low training frequency and incident reporting confidence.
Training Without Tangible Impact
Many organisations conduct SAT annually or biannually. However, beyond infrequent training, the report also highlights that these programmes often lack relevance to specific roles, behavioural tracking, and accountability. While 68% claim to tailor SAT by role, a lack of role-based training is the second most-cited challenge, suggesting a discrepancy between what leadership thinks is happening and what is implemented. The manufacturing and healthcare sectors, in particular, tend to adopt a one-size-fits-all approach.
Challenges of Growth
Oddly, larger organisations (501+ employees) report less frequent training, lower confidence in reporting security issues, and greater difficulty in measuring outcomes. This suggests that as organisations expand, they may inadvertently lose their human-centered focus, leading to greater human risk.
Regional Differences
Cybersecurity resilience varies significantly across Africa. East African respondents lead in proactive AI governance, while Southern African respondents conduct the most frequent training. North Africa has the highest BYOD exposure, and Central and West Africa report the most human-related incidents. This diverse landscape underscores the necessity for personalised and relevant cyber strategies, rather than generic approaches.
Bridging the Perception-Reality Divide
A comparison with the 2024 Annual African Cybersecurity & Awareness Report, which surveyed general employees, further emphasises the gap between leaders’ perceptions and employees’ actual experiences. While half of leaders in 2025 rated employee reporting confidence at four out of five, only 43% of employees in 2024 felt fully confident in recognising a cyber threat. Similarly, despite leaders claiming tailored training, only a third of employees felt they received adequate training.
Recommendations for Enhanced Resilience
- Tailor training to roles and risk exposure: Move beyond generic training to develop personalised, relevant, and adaptive SAT that aligns with employees’ daily responsibilities.
- Measure meaningful metrics: Implement clear metrics to track training effectiveness, not just participation. Include culture surveys, proficiency assessments, and phishing simulation trends.
- Formalise incident reporting structures: Employees need clear, easy-to-follow reporting paths, immediate feedback, and regular simulations to foster trust and ensure prompt action.
- Close the AI governance gap: Develop and enforce policies to regulate AI use, transforming it from a potential threat vector into a secure asset.
- Contextualise human risk strategy by region and sector: Develop security culture strategies that speak to the unique regulatory, cultural, and operational nuances of each African region.
The human layer is not a weakness to be fixed but rather a critical defense to strengthen. Awareness is just the beginning; Africa’s cybersecurity future depends on the actions that follow. By embracing these recommendations, African organisations can move beyond perceived awareness to build truly resilient, human-centered defenses against evolving cyber threats.
