Businesses in Africa may be far less secure than they believe, with a huge cybersecurity divide threatening the system. A new continent-wide survey of cybersecurity decision-makers shows that while most organisations rate employee awareness of cyber risks highly, only 10% of leaders are completely confident staff would report a phishing attempt or suspicious activity.
The KnowBe4 Africa Human Risk Management Report 2025, which gathered responses from 124 senior cybersecurity leaders across 30 African countries, reveals a dangerous disconnect between perception and reality.
Leaders often say their workforce understands cyber risks, scoring awareness at an average of four out of five, yet the systems needed to translate that awareness into effective action remain weak.
One of the starkest findings is around training. Although 68% of decision-makers insist security awareness training is tailored to job roles, the second most-cited challenge in the report is the lack of role-based alignment.
In practice, many employees are still receiving generic, one-size-fits-all programmes, often delivered annually or biannually. Manufacturing and healthcare organisations were singled out, with 50% and 40% respectively admitting no role-specific tailoring at all.
Phishing simulations, widely recognised as a critical tool, are also underutilised. While 90% of organisations conduct them, only 7% do so monthly, and the largest share (40%) runs them just twice a year.
The report warns that this “low frequency poses a critical challenge” because rare exposure makes it harder for employees to develop instinctive responses to real threats.
Technology adoption is another fault line. Between 41% and 80% of employees across the continent use personal devices for work, yet many of these devices lack proper security controls.
This Bring Your Own Device (BYOD) trend, particularly high in North Africa where 61%–80% of workers use personal phones or laptops for office tasks, remains largely unmanaged.
Compounding this is the rising risk of “shadow AI”. Nearly half of organisations (46%) admitted their AI governance policies are still “in development”, leaving staff free to use AI tools in potentially unsafe ways.
The report also reveals sharp regional contrasts. Southern Africa leads in training frequency, with 44% of organisations conducting sessions quarterly. East Africa is ahead in AI governance, with 50% of organisations already having formal policies in place.
In contrast, West and Central Africa report the highest number of human-related security incidents, while North Africa combines the highest BYOD exposure with the lowest training frequency.
Anna Collard, SVP of content strategy & evangelist at KnowBe4 Africa, summed up the problem bluntly: “There’s a disconnect here – between what leaders think is happening, and what employees are actually experiencing. The data shows that without procedural and cultural follow-through, awareness simply doesn’t translate into readiness.”
For businesses, awareness alone is no longer enough, especially when it comes to the huge cybersecurity divide in Africa. The report calls for customised, role-based training, stronger incident reporting systems, clear AI governance, and region-specific strategies. Without these, Africa’s growing confidence in its cyber defences risks masking dangerous blind spots.
