One of the most common questions security leaders ask is: "How do we compare?" While every organization is unique, industry benchmarks provide a useful yardstick.
Industry Averages (Post-Training)
After 12 months of consistent training, here is where different industries land:
Phishing Click Rates by Industry (Year 1)
Education6.5%
Healthcare5.2%
Small Business4%
Finance3%
Technology2.8%
Defining "Good"
The Target Zone
Under 5% is the general target for a healthy program.
Under 2% is world-class cyber resilience.
Over 10% indicates a critical gap in awareness or policy.
Under 2% is world-class cyber resilience.
Over 10% indicates a critical gap in awareness or policy.
Context Matters
Difficulty: A generic 'Lottery' email is easier to spot than a targeted 'Payroll' lure.
Department: HR/Sales open more external emails, increasing their risk profile naturally.
Key Takeaway
"Benchmarks are helpful, but your most important comparison is against yourself. Focus on continuous improvement rather than chasing a perfect zero."
