By By Our Reporter
Cybersecurity across Africa has made impressive strides in recent years. Organizations are investing heavily in firewalls, threat detection tools, and cloud-based defenses, while also rolling out employee awareness programs to strengthen their first line of defense. Yet despite this progress, a stubborn blind spot remains: the human factor.
The latest KnowBe4 Africa Human Risk Management Report 2025 makes it clear that the biggest vulnerability isn’t hostile hackers sitting in faraway countries—it’s the gap between what business leaders believe their employees know about cybersecurity and what those employees can actually do in practice.
The report highlights a striking perception divide. While half of decision-makers surveyed rated their employees’ confidence in reporting cyber incidents at 4 out of 5, only 43 percent of employees themselves said they actually felt capable of spotting and reporting threats such as phishing emails, social engineering attacks, or malware. A third of staff admitted their training was insufficient, and even more troubling, many organizations mistakenly think they are doing enough. For example, 68 percent of executives insist their security awareness training (SAT) is tailored by role, yet just 33 percent of employees agree, with 16 percent directly contradicting the claim.
This mismatch, according to Anna Collard, Senior Vice President of Content Strategy and Evangelist at KnowBe4 Africa, is exactly where the danger lies. “If leaders don’t correct course, they’re building security strategies on false confidence,” she warned. In other words, organizations risk placing blind faith in systems and strategies that, in reality, don’t work on the ground.
The problem is compounded by a widespread culture of “tick-box” compliance. Many companies still rely on annual phishing tests, one-size-fits-all online modules, and generic awareness pamphlets. Yet few take the extra step of asking whether these programs genuinely change employee behavior. In fact, more than 40 percent of organizations admit they cannot measure if their training translates into real-world readiness.
The risks of this oversight are not hypothetical. Kenya alone recorded more than 840 million cyber-attack attempts in just three months this year, according to the Communications Authority of Kenya, underscoring how relentless and adaptive cyber threats have become. From ransomware campaigns to supply-chain attacks, criminals are finding ways to bypass technical barriers—and when they do, it often comes down to whether an unsuspecting employee clicks the wrong link.
Adding to the challenge is the rise of artificial intelligence (AI) in the workplace. While AI promises efficiency and innovation, it is also opening fresh vulnerabilities. Nearly half of African organizations are still drafting formal AI usage policies, yet as many as 80 percent of employees admit to using personal devices and unregulated “shadow AI” tools to handle work tasks. This exposes companies to unmonitored data leaks, unverified code, and compliance risks. East Africa has been more proactive in regulating AI adoption, but governance across the continent remains patchy.
Larger organizations, surprisingly, are often the least confident about their staff’s cybersecurity readiness. The scale of operations makes it difficult to monitor individual behavior, and while resources are plentiful, oversight is often diluted. Small and medium-sized enterprises, on the other hand, while less equipped technologically, sometimes benefit from closer management of employees and tighter-knit teams.
The solution, experts argue, lies not in “more training” but in smarter, context-driven training. Generic modules won’t cut it in a landscape where risks vary widely by role. A finance officer processing millions of shillings in transactions faces different threats than a marketing associate managing social media accounts, yet both are often subjected to identical training.
Instead, organizations need tailored simulations that reflect real job-specific risks, ongoing feedback loops that reinforce lessons, and clear, trusted channels for reporting suspicious activity without fear of blame. Cybersecurity must also move from being an IT-only responsibility to a whole-organization culture—embedded in daily operations, reinforced by leadership, and measured by behavior, not checklists.
Africa’s digital economy is expanding rapidly, with mobile money, e-commerce, digital healthcare, and AI-driven services reshaping how people live and work. But the pace of this growth means the cost of mistakes is rising just as fast. A single phishing email clicked by an uninformed employee can compromise financial data, disrupt services, or erode public trust.
If Africa is to secure its digital future, closing the human error gap must be the next frontier. Technology can only go so far; in the end, cybersecurity is as much about people as it is about machines.
