Cybersecurity in Africa has come a long way in the last several years, evolving to a point where now most African organizations are investing more in defenses, rolling out training programs, and adopting new technologies.
However, dangerous blind spots still remain. The real threat isn’t just hackers or weak firewalls; it’s the widening gap between what management thinks their employees know and what they actually understand.
According to the KnowBe4 Africa Human Risk Management Report 2025, many organizations are overestimating their workforce’s cybersecurity readiness while underestimating critical deficiencies in trust, training, and practical application.
The report reveals a troubling trend: while 50% of decision-makers rate employee confidence in reporting cyber threats at 4 out of 5, only 43% of employees actually feel confident in recognizing threats such as a phishing email or a malware attack.
Even more concerning, a third of employees believe their training is insufficient. This perception gap extends to role-specific training with 68% of leaders claiming their security awareness training (SAT) is tailored by role, yet only 33% of employees agree, with 16% outright disputing the claim.
According to Anna Collard, SVP of Content Strategy and Evangelist at KnowBe4 Africa, this discrepancy between perception and experience is exactly where human risk thrives. “If leaders don’t correct course, they’re building security strategies on false confidence,” said Collard.
Many organizations are stuck in a cycle of checking boxes, mandatory training sessions, annual phishing tests, and generic security pamphlets, without ever asking: Is this actually working?
Over 40% of companies admit they struggle to measure whether their training leads to real behavioral change. The issue being too many rely on one-size-fits-all programs that don’t account for different risk levels across departments.
For instance, a finance employee handling sensitive transactions needs a different approach than a marketing team member managing social media, yet most training fails to reflect that.
And while larger organizations pour resources into cybersecurity, they’re ironically less confident in their employees’ readiness. The bigger the company, the harder it seems to track whether awareness translates into action.
And as if traditional cybersecurity challenges weren’t enough, a new threat is also rapidly emerging: unregulated AI usage. With nearly half of African organizations still drafting formal AI policies and up to 80% of employees using personal devices for work, the risk of unchecked “shadow AI” is skyrocketing. East Africa has managed to stay ahead of the curve with more proactive AI governance, but more still needs to be done.
The solution isn’t more training but smarter training. Organizations need to move beyond generic lectures and start tailoring programs to real employee behaviors.
That means role-specific simulations, continuous feedback loops, and clear reporting channels so workers know exactly what to do when they spot a threat.
