Phishing Risk in Industry Comparison

Who is most vulnerable?

Ranking according to industry:

The results of a benchmarking report from 2021 show what companies,

institutions and organizations should already be aware of: without effective staff training, companies are inadequately prepared for increased cyber crime and much more vulnerable to social engineering attacks.


Statistically, the initial phishing vulnerability averaged 31.4 % irrespective of industry or number of employees and reveals the degree to which employees are at risk of falling for a phishing attempt. Companies of any size and industry need to improve their staff training with regard to the identification of phishing and standard social engineering tactics of cyber criminals in order to establish a sustainable security culture.

Security awareness measures
for a sustainable security culture

Among small companies (1-249 employees), the health care and pharmaceuticals industry takes first place with a phishing vulnerability (PV) of 34.0 %, followed by the education sector with a PV of 32.9 %.

Among medium-sized companies, the hotel and catering industry takes first place with a PV of 42.3 %. The energy and utilities sector has a PV of 35.7 %. The health care and pharmaceuticals industry as well is among the top 3 with a PV of 35.6 % in 2021.

Among large companies (with more than 1,000 employees), energy and utilities rank first with a PV of 52.4 %, closely followed by insurance companies with a PV of 51.6 %. Banks with a PV of 47.5 % take third place.

The winner with the lowest initial phishing vulnerability is the area of public institutions, authorities and law firms (PV of 23.5 %).

Average improvement rate depending on industry and number of employees

Statistically, however, there is also promising news. After one year of continued security awareness training and regularly simulated phishing tests, the average vulnerability of employees of companies of all sizes and industries has already been significantly reduced by 84 %.

Increase the security awareness of your staff and establish a sustainable security culture.