A critical gap is emerging in African cybersecurity: the disconnect between what leaders believe about employee readiness and what employees actually experience.
A glimpse into this mismatch is revealed in the KnowBe4 Africa Human Risk Management Report 2025. The results unveil that many leaders are overestimating their employees’ preparedness, and underestimating the gaps in trust, training, and action.
As organisations strengthen defences and invest in security awareness training, this overlooked divide poses a growing risk.
“It’s not just that awareness alone isn’t enough – it’s that the level of employee’s awareness is being misunderstood by the organisational leaders responsible for it,” says Anna Collard, SVP of content strategy and evangelist at KnowBe4 Africa.
The perception gap is growing, but measurable
While 50% of decision-makers in 2025 rate employee cyber threat-reporting confidence at 4 out of 5, in 2024, only 43% of employees said that they felt confident recognising a threat, while one-third disagreed that their training was sufficient.
More than two-thirds of decision-makers (68%) believe that SAT within their organisations is tailored by role. However, only 33% of employees in 2024 felt that to be true – with 16% actively disagreeing.
The implications are serious, because a workforce that appears trained and aware on paper may in fact be uncertain, unsupported, and vulnerable.
“This discrepancy between perception and experience is exactly where human risk thrives,” says Collard. “If leaders don’t correct course, they’re building security strategies on false confidence.”
Why measuring awareness is no longer enough
One of the most frequently cited challenges in the report is deceptively simple: measuring if SAT works. More than four in ten respondents said that they struggle to track whether their security awareness programmes translate into safer behaviours.
A key contributing factor, identified in the report, is that many organisations still rely on one-size-fits-all SAT, often delivered only annually or biannually, without role-specific customisation or behavioural feedback loops.
While the report finds that 68% of organisations offer role-based training, this claim is undermined by the fact that a lack of role alignment remains one of the top challenges. The discrepancy is clearest in sectors like manufacturing and healthcare, where generic SAT is most common.
Larger organisations are consistently less confident in employee readiness, train less frequently, and struggle more to measure outcomes.
“Awareness without action is like an alarm that no one responds to,” says Collard. “Organisations are investing in security awareness training, but without the structure, tailoring, and follow-through to translate that into secure behaviour.”
Beyond BYOD: The new blind spot is AI
One of the most urgent themes to emerge is the rapid rise of “shadow AI” use. With nearly half of all organisations still busy developing formal AI policies, yet up to 80% of employees using personal devices for work, the risk of unmonitored, unsanctioned AI usage is rising fast.
“Technology has moved faster than policy,” says Collard. “And unless AI tools are properly governed, they become as much a risk vector as they are an asset.”
East Africa is leading the way with more proactive AI governance, while Southern Africa, despite topping training frequency, lags behind on AI policy implementation.
This lack of oversight is echoed in the South African Generative AI Roadmap 2025, a recent report by World Wide Worx in partnership with Dell Technologies and Intel. It found that 67% of large South African enterprises are already using generative AI (GenAI), yet fewer than one in seven have a comprehensive strategy to manage its use. Even more concerning, 59% either have no governance in place or are still in the planning stages.
While the GenAI boom reflects technological ambition, it also highlights a growing human risk. The report reveals that only 13% of organisations have implemented safety, privacy, and bias safeguards – meaning most employees may be engaging with powerful tools without clear guidance or accountability. Untrained or unauthorised AI use doesn’t just threaten productivity – it introduces new cyber risks.
The road ahead: Action, alongside awareness
The KnowBe4 Africa Human Risk Management Report 2025 outlines five imperatives for African organisations:
- Customise SAT by role and risk exposure.
- Track what matters – not just participation, but behavioural outcomes.
- Formalise reporting structures employees trust and understand.
- Close the AI policy gap before misuse becomes systemic.
- Contextualise strategies based on region and sector – because resilience is not one-size-fits-all.
“The human element is often spoken about, but rarely measured in ways that lead to action that acknowledges context,” says Collard. “Our goal is to help organisations stop guessing and start structuring their defences around real, contextual insights.
“This is a moment to move from compliance-driven box-ticking to culture-driven resilience. We have the data. Now we need the will.
* Download the ‘KnowBe4 Africa Human Risk Management Report 2025’ report here.