Security awareness programs typically measure and report organizational click rates for phishing campaigns: the percentage of employees across the entire organization who click simulated phishing emails. A company reports "our click rate is 22 percent" as if that single number describes organizational vulnerability. That aggregation conceals more than it reveals.
Industry data shows that within-organization variation in phishing click rates across departments often exceeds the variation between organizations in different industries. A technology company might report an organizational click rate of 18 percent while its sales department shows 32 percent, its marketing department shows 26 percent, its finance department shows 14 percent, and its engineering department shows 9 percent. Those internal differences represent fundamentally different risk profiles that uniform security awareness training does not address.
The department-level variation is not random and is not primarily driven by differences in employee capability or security awareness. It is driven by differences in job structure, communication patterns, time pressure, external interaction requirements, and the types of emails that employees in different roles receive and are conditioned to respond to. NIST's SP 800-50 Rev. 1 explicitly recommends role-based security awareness content, reinforcing what the data shows: understanding these structural drivers of department-level vulnerability is essential for designing programs that address actual risk rather than treating all employees as interchangeable.
This guide provides detailed phishing click rate benchmarks for major departments across organizations, explains the structural and behavioral factors that drive department-level variation, and offers a framework for designing role-specific security awareness training that addresses the actual vulnerabilities present in each organizational function.
Sales and Business Development: Highest Click Rates, External Communication Culture
Sales departments consistently show the highest phishing click rates across organizations, typically ranging from 28 to 35 percent in organizations where the overall click rate is 18 to 22 percent. The elevation is consistent across industries—technology company sales teams show higher click rates than technology company engineering teams, financial services sales teams show higher click rates than financial services operations teams, and so on.
The factors driving sales vulnerability are structural rather than individual. Sales roles require constant responsiveness to external communications. A sales representative who receives an email from an unknown sender claiming to represent a potential customer or partner cannot simply delete it—engaging with unknown external parties is core job function. The professional behavior that makes someone effective at sales (responding quickly to external inquiries, maintaining open communication channels, prioritizing relationship building over process) creates phishing vulnerability.
Sales teams are also conditioned to urgency. Revenue targets, quota pressure, pipeline management, and deal timelines create a work culture where immediate response to communications is valued and where delay is professionally costly. Phishing emails that create artificial urgency ("Act now to close this deal," "Urgent proposal request," "Time-sensitive partnership opportunity") exploit exactly the urgency conditioning that sales culture reinforces.
The types of emails that sales teams receive also increase vulnerability. Legitimate sales prospecting emails, cold outreach, partnership inquiries, customer requests, and vendor solicitations create an environment where unexpected emails from unknown senders are routine rather than suspicious. Sales employees cannot apply the heuristic "delete unexpected emails from unknown senders" because doing so would mean deleting substantial volumes of legitimate business opportunity.
Sales phishing also exploits the CRM and sales tool ecosystem. Attackers craft phishing emails impersonating Salesforce notifications, LinkedIn messages, calendar meeting requests, and document sharing from sales enablement platforms. Sales employees encounter these legitimate notifications dozens of times daily, creating habituation that attackers exploit by inserting malicious notifications into the stream of legitimate tool notifications.
Organizations that achieve sales department click rates below 22 percent—substantially better than the department benchmark—typically do so through sales-specific security awareness training that acknowledges the unique characteristics of sales communication patterns. The training teaches sales employees to apply verification behaviors that work within sales workflows: using LinkedIn or company websites to independently verify sender identity before clicking links, establishing initial contact through known channels before responding to unexpected emails, treating urgent requests for sensitive information as red flags regardless of apparent opportunity.
The other intervention that reduces sales phishing vulnerability is technical: implementing advanced email filtering that understands sales communication patterns and that can distinguish between legitimate external sales prospecting and phishing attempts. Sales teams often complain that aggressive spam filtering blocks legitimate business opportunities, creating pressure to relax filtering. Email security systems that learn organizational sales communication patterns can provide tighter security for sales teams without blocking legitimate opportunity.
Marketing and Communications: High Click Rates, External Engagement Requirements
Marketing departments show phishing click rates typically ranging from 22 to 30 percent in organizations where overall click rates are 18 to 22 percent. Like sales, marketing vulnerability is driven by job requirements that create structural phishing exposure.
Marketing roles require engagement with external vendors, agencies, media outlets, influencers, and potential partners. A marketing manager who receives an email from someone claiming to be a journalist requesting comment or from an agency proposing collaboration cannot simply delete it as suspicious—external engagement is job function. The professional behavior required for marketing effectiveness (maintaining media relationships, responding to partnership inquiries, engaging with industry contacts) creates the communication patterns that phishing exploits.
Marketing teams are also heavy users of external tools and platforms: social media management systems, email marketing platforms, analytics tools, content management systems, advertising platforms, and collaboration tools for working with agencies. Each platform generates legitimate notification emails that request clicks for account verification, content approval, campaign management, and security updates. The volume of legitimate platform notifications creates an environment where phishing notifications impersonating marketing tools blend into expected communication.
The types of content that marketing teams handle—shared documents, creative assets, campaign materials, media files—creates additional vulnerability. Marketing employees routinely receive and click links to shared Google Docs, Dropbox folders, Box repositories, and file transfer services. Phishing emails that impersonate document sharing notifications or that claim to contain creative assets for review exploit exactly the workflow patterns that marketing professionals follow dozens of times weekly.
Marketing phishing also exploits industry events and deadlines. Attackers time phishing campaigns to coincide with major industry conferences, award submission deadlines, and campaign launches when marketing teams are under maximum time pressure and when communications about these events are expected. A marketing manager receiving what appears to be a conference registration confirmation or an award submission deadline notice during relevant time periods is less likely to scrutinize sender authenticity carefully.
Organizations that achieve marketing department click rates below 18 percent typically do so through combination of marketing-specific training and technical controls. The training teaches verification behaviors appropriate to marketing workflows: checking sender domains for slight variations before clicking links in partnership inquiries, verifying unexpected document sharing through alternative communication channels, recognizing that urgency around external opportunities is a manipulation tactic. Technical controls include advanced email filtering calibrated for marketing's external communication requirements and secure file sharing systems that reduce reliance on clicking email links to access shared content.
Human Resources: Moderate-High Click Rates, PII Handling Vulnerability
HR departments show phishing click rates typically ranging from 20 to 28 percent in organizations where overall click rates are 18 to 22 percent. HR vulnerability is driven by unique characteristics of HR workflows and by the types of information that HR teams handle.
HR roles involve processing high volumes of emails containing personal information: job applications, benefits enrollments, employee personal data updates, background check results, and confidential employee relations matters. The routine handling of sensitive personal information in email creates normalization—receiving emails containing SSNs, dates of birth, salary information, and health data becomes expected workflow rather than suspicious event.
HR teams also receive substantial volumes of external emails from people outside the organization: job applicants, recruiting agencies, benefits vendors, background check services, and former employees. Unlike most corporate departments where external emails are relatively rare, HR receives dozens of external emails daily as standard workflow. This volume of legitimate external email makes it difficult to apply the heuristic "be suspicious of emails from unknown senders" because unknown senders are routine in HR communication.
The types of requests that HR processes create additional phishing vulnerability. HR routinely handles urgent employee requests involving personal circumstances: medical leave documentation, benefits questions requiring immediate answer, payroll discrepancy resolution, and personal emergency notifications. Attackers exploit this by crafting phishing emails impersonating employees with urgent personal requests, knowing that HR culture emphasizes responsive service to employee needs.
HR phishing also exploits the HR software ecosystem: applicant tracking systems, HRIS platforms, benefits administration systems, background check services, and payroll systems. Each platform generates notification emails that require clicks for candidate review, benefits enrollment, employee data updates, and compliance actions. The volume of legitimate HR system notifications creates opportunities for attackers to insert malicious notifications that HR employees click reflexively.
The most damaging HR phishing attacks involve payroll diversion—attackers impersonating employees requesting direct deposit changes. This is a textbook social engineering scheme that exploits HR's service-oriented culture. HR departments that process such requests via email without rigorous verification create vulnerability that attackers exploit systematically. Organizations that implement mandatory phone-call verification for any banking change requests show dramatically lower success rates for payroll diversion attacks regardless of email click rates.
Organizations that achieve HR department click rates below 16 percent typically implement HR-specific security training that addresses the unique vulnerabilities of HR workflows: teaching verification procedures for unexpected employee requests involving personal information, creating protocols for handling sensitive information that reduce reliance on email, implementing mandatory multi-channel verification for payroll and banking changes, and providing secure alternatives to email for transmitting employee PII.
Finance and Accounting: Lower Click Rates, Process-Oriented Culture
Finance and accounting departments show phishing click rates typically ranging from 12 to 18 percent in organizations where overall click rates are 18 to 22 percent. Finance departments consistently perform better than organizational averages across industries, reflecting both the process-oriented nature of financial work and the emphasis on verification that characterizes financial professional training.
Finance professionals are trained to verify information before acting—confirming invoice legitimacy, validating payment instructions, reconciling transactions, and questioning discrepancies. That professional verification habit extends to email behavior. Finance employees are more likely than employees in most other departments to scrutinize sender addresses, question unexpected requests, and seek confirmation through alternative channels before responding to email directives.
The types of emails that finance departments receive also differ from other departments in ways that reduce phishing vulnerability. Finance teams receive relatively few external emails compared to sales, marketing, or HR. Most finance communication happens with known internal colleagues, established vendors with existing relationships, and regular business partners. The low volume of legitimate external email makes unexpected external emails more salient and more likely to trigger scrutiny.
However, finance departments face targeted, high-stakes phishing attacks that make their lower click rates less reassuring than they appear. Business email compromise attacks targeting finance departments for wire transfer fraud, vendor payment redirection, and invoice manipulation are more financially damaging per successful attack than the credential harvesting and malware distribution that characterize phishing targeting other departments. A finance department that achieves a 14 percent click rate but that falls victim to a single successful BEC attack redirecting a $500,000 wire transfer has experienced more damage than a sales department with a 32 percent click rate that results in a dozen compromised email accounts.
Finance-specific phishing tactics exploit the dual authorization and approval workflows common in finance operations. Attackers craft emails impersonating executives requesting urgent wire transfers, knowing that finance employees are conditioned to respond to executive payment directives. The phishing emails exploit the tension between finance's verification culture and the organizational expectation that finance will respond promptly to executive requests.
Organizations that achieve finance department click rates below 10 percent typically implement finance-specific security training focused on the high-stakes attacks that target finance rather than on generic phishing scenarios. The training emphasizes verification protocols for payment requests, teaches recognition of BEC tactics, reinforces dual authorization requirements, and creates explicit permission for finance employees to question executive directives that do not follow established processes. The training also addresses the specific tools and notifications that finance employees encounter: fake invoice notifications, spoofed vendor communications, and fraudulent payment platform alerts.
Information Technology: Lowest Click Rates, Technical Expertise Advantage
IT departments consistently show the lowest phishing simulation click rates across organizations, typically ranging from 6 to 12 percent in organizations where overall click rates are 18 to 22 percent. IT's superior phishing resistance reflects technical expertise that enables recognition of phishing indicators that non-technical employees miss.
IT employees routinely examine email headers, understand DNS and domain authentication, recognize URL manipulation, and understand how email spoofing works. This technical knowledge allows IT staff to identify phishing emails through analysis that non-technical employees cannot replicate. An IT employee who encounters a suspicious email is likely to examine the full sender address, check whether SPF/DKIM/DMARC authentication passed, analyze the email headers for routing anomalies, and verify the legitimacy of URLs before clicking—behaviors that security training teaches but that require technical knowledge to execute effectively.
IT departments also use password managers and multi-factor authentication at higher rates than other departments, providing technical protection that reduces vulnerability even when clicking occasionally occurs. IT employees who click suspicious links are less likely to successfully compromise credentials because password managers will not autofill on fraudulent domains and because MFA creates an additional verification barrier.
However, IT's low click rate creates a false sense of organizational security if it is not examined in context. IT departments typically represent 5 to 15 percent of organizational headcount. An organization where IT achieves a 7 percent click rate but sales, marketing, and HR average 28 percent has not achieved good security—it has one secure department and several vulnerable departments. The organizational aggregate click rate conceals the concentration of vulnerability outside IT.
IT departments also face sophisticated, targeted attacks that generic phishing simulations may not capture. Attackers targeting IT specifically craft phishing that exploits technical knowledge rather than lack of it: fake security alerts requiring immediate patch installation, spoofed vendor security bulletins, fake zero-day vulnerability notifications, and social engineering that leverages IT professional identity. IT employees may recognize generic phishing easily but remain vulnerable to attacks crafted specifically for technical audiences.
Organizations that achieve IT department click rates below 6 percent typically do so through combination of factors: mandatory password manager use, hardware security keys that prevent credential harvesting, advanced email filtering, and security team culture that treats phishing awareness as professional competence. The lowest click rates occur in organizations where IT employees face professional consequences—not disciplinary but reputational—for falling victim to phishing, creating strong personal motivation for vigilance.
Executive and C-Suite: Elevated Click Rates, Authority Exploitation
Executive and C-suite phishing click rates typically range from 18 to 28 percent, higher than many employees expect and often elevated above organizational averages. For the full picture on executive targeting, including the spear-phishing and whaling tactics that drive these numbers, see our dedicated executive benchmarks. The finding surprises many organizations because executives are assumed to be more security-aware and more careful than general employee populations. The data does not support that assumption.
Executive vulnerability is driven by several factors specific to executive roles. Executives receive high volumes of external email—business development inquiries, speaking invitations, board opportunities, media requests, partnership proposals—creating an environment where unexpected external emails are routine. Executives also operate under severe time pressure with overscheduled calendars, creating conditions where rapid email triage takes precedence over careful security evaluation.
Executive assistants create additional complexity. Many executives have assistants who manage their email, and phishing attacks targeting executives increasingly impersonate executive assistants requesting action from the executive or impersonate the executive requesting action from the assistant. The assistant relationship creates ambiguity about communication channels and authentication that attackers exploit.
The types of information that executives handle also increase targeting. Executives have access to confidential strategic information, M&A plans, board materials, financial forecasts, and personnel decisions that make their email accounts high-value targets. Attackers invest more effort in crafting sophisticated phishing targeting executives than in attacks targeting general employee populations, and that increased sophistication shows up in higher success rates.
Executive phishing also exploits authority relationships—what security professionals call social engineering. Attackers craft emails impersonating board members, major investors, key clients, or other executives, knowing that executives are conditioned to respond promptly to communications from these high-status external parties. A CEO who receives what appears to be an urgent request from a board member is less likely to apply rigorous sender verification than for routine communications.
Organizations that achieve executive click rates below 15 percent typically implement executive-specific security awareness training that addresses the unique characteristics of executive communication patterns and threats. The training is delivered in condensed formats appropriate to executive time constraints—often 15-minute sessions rather than 45-minute training modules. The training focuses on the high-stakes targeted attacks that executives actually face rather than on generic phishing scenarios, and it provides executive-appropriate verification procedures that assistants can help execute.
The most effective executive security also involves technical controls: requiring executives to use mobile device management on smartphones, implementing advanced filtering specifically calibrated for executive communication patterns, and providing executive assistants with security training focused on their role as gatekeepers of executive communication channels.
Legal and Compliance: Moderate Click Rates, Vendor Communication Vulnerability
Legal and compliance departments show phishing click rates typically ranging from 16 to 24 percent in organizations where overall click rates are 18 to 22 percent. Legal performance sits between the lower rates of finance and IT and the higher rates of sales and marketing.
Legal departments face phishing vulnerability driven by external communication requirements similar to sales and marketing. Corporate counsel interacts with outside law firms, regulatory agencies, courts, opposing counsel, and transaction counterparties. In-house legal teams handling intellectual property, contracts, or employment law receive substantial external email from law firms, patent offices, trademark services, and employment attorneys. This volume of legitimate external legal communication creates an environment where unexpected external emails are routine.
The types of documents that legal teams handle create additional vulnerability. Attorneys routinely receive and click links to shared legal documents, court filings, contracts for review, and confidential deal materials. Phishing emails that impersonate document sharing notifications or that claim to contain time-sensitive legal materials exploit exactly the workflow patterns that legal professionals follow regularly.
Legal phishing also exploits deadline pressure. Court filing deadlines, transaction closing timelines, regulatory submission deadlines, and contract negotiation schedules create time pressure similar to sales quotas. Phishing emails that create artificial urgency around legal deadlines are more likely to succeed than generic urgent phishing because they exploit real professional pressure that attorneys face.
Compliance departments face similar external communication patterns plus additional vulnerability from regulatory impersonation. Phishing emails impersonating regulatory agencies, audit firms, certification bodies, and compliance vendors achieve higher click rates in compliance departments than generic phishing because compliance professionals are conditioned to respond promptly to regulatory communications and because the consequences of ignoring legitimate regulatory communications are severe.
Organizations that achieve legal and compliance department click rates below 14 percent typically implement role-specific training that addresses the unique vulnerabilities of legal workflows: teaching verification procedures for unexpected legal document sharing, creating protocols for confirming authenticity of communications claiming regulatory authority, and implementing secure alternatives to email for transmitting confidential legal materials.
Operations and Customer Service: High Volume, External Interaction Vulnerability
Operations and customer service departments show phishing click rates typically ranging from 24 to 32 percent in organizations where overall click rates are 18 to 22 percent. These departments face vulnerability patterns similar to sales—high external interaction, urgency culture, and communication patterns that normalize unexpected emails.
Customer service roles require responding to external communications from customers, often under service-level-agreement time pressure that penalizes delayed response. Customer service representatives who receive emails claiming to be from customers with urgent issues cannot simply delete them as suspicious—customer engagement is job function. The professional behavior that makes someone effective at customer service (responsive communication, prioritizing customer needs, minimizing customer wait time) creates phishing vulnerability.
Operations teams managing supply chains, logistics, vendor relationships, and facility management receive high volumes of external email from suppliers, carriers, contractors, and service providers. The volume of legitimate external operational communications creates an environment where unexpected external emails are routine rather than suspicious. Operations employees cannot apply strict sender filtering without blocking legitimate business communications.
Customer service and operations teams also tend to have less security awareness training exposure than desk-based corporate employees. Customer service representatives working in call centers, operations staff managing warehouses or manufacturing facilities, and logistics coordinators working in distribution centers often receive abbreviated security training or are excluded from training programs designed for information workers. The limited training exposure creates baseline vulnerability independent of the structural exposure created by job requirements — and the problem is amplified during onboarding, when new employees are reliably among the highest-risk populations in any department.
The tools and platforms that operations and customer service teams use create additional vulnerability. Operations teams receive notifications from inventory management systems, logistics platforms, procurement systems, and facility management tools. Customer service teams receive notifications from CRM systems, ticket management platforms, and customer communication systems. The volume of legitimate tool notifications creates opportunities for attackers to insert malicious notifications.
Organizations that achieve operations and customer service click rates below 20 percent typically do so through simplified, role-appropriate training delivered in formats suitable for non-desk employees: short video modules accessible on mobile devices, brief in-person training during shift meetings, and visual reference materials (posters, quick-reference cards) that provide verification guidance in operational environments. The training acknowledges the external communication requirements of the roles and teaches verification behaviors that work within operational time constraints rather than requiring extensive scrutiny that operational workflows cannot accommodate.
Research and Development: Moderate-Low Click Rates, Targeted IP Theft Risk
Research and development departments show phishing click rates typically ranging from 14 to 20 percent in organizations where overall click rates are 18 to 22 percent. R&D performance is generally better than organizational average but shows significant variation by organizational security maturity.
R&D employees typically have strong technical backgrounds that provide some natural phishing resistance similar to IT departments. Engineers, scientists, and researchers understand email technology, can recognize URL manipulation, and tend to be skeptical of unsolicited communications. However, R&D technical expertise is domain-specific—a pharmaceutical researcher or mechanical engineer may have deep technical knowledge that does not extend to cybersecurity.
R&D departments face targeted phishing focused on intellectual property theft rather than the credential harvesting and malware distribution that characterizes phishing targeting other departments. Attackers craft phishing specifically designed to harvest research data, product development information, and proprietary technical knowledge. These targeted attacks may succeed even when R&D click rates on generic phishing simulations are low.
The collaboration patterns in R&D create phishing vulnerability. Researchers routinely share documents with colleagues at other organizations, collaborate with academic partners, engage with vendors providing research tools and materials, and communicate with potential customers or partners interested in R&D output. This external collaboration creates legitimate expectations for external communications and document sharing that attackers exploit.
R&D phishing also exploits the academic culture common in research organizations. Researchers accustomed to academic openness, conference networking, and peer collaboration may apply less stringent verification to communications claiming to be from academic peers, conference organizers, or research collaborators than they would apply to obvious external commercial communications.
Organizations that achieve R&D department click rates below 12 percent typically implement R&D-specific security training focused on intellectual property protection rather than generic phishing scenarios. The training emphasizes the value of the research information that R&D employees access and the tactics that nation-state actors and commercial competitors use to target R&D. The training also provides secure alternatives for research collaboration that reduce reliance on clicking email links to access shared technical documents.
The Department-as-Target Problem: Why Aggregated Metrics Fail
The dramatic variation in phishing click rates across departments within organizations reveals a fundamental problem with aggregated organizational metrics. An organization reporting "our click rate is 20 percent" is providing almost no useful information about its actual security posture if that 20 percent represents an average of 8 percent in IT, 15 percent in finance, 22 percent in marketing, and 34 percent in sales.
Attackers do not target organizations uniformly—they target specific departments that provide access to specific types of valuable information or that enable specific types of attacks. Attackers seeking financial fraud target finance and accounting. Attackers seeking customer data target sales and customer service. Attackers seeking intellectual property target R&D. Attackers seeking payroll diversion target HR.
The relevant security metric for measuring organizational vulnerability is not "what percentage of all employees would click phishing" but rather "what percentage of employees in the departments that attackers actually target would click phishing directed at those departments." Those are very different questions with very different answers.
An organization with excellent IT security, moderate finance security, and poor sales security has a sales security problem regardless of what the aggregated organizational click rate suggests. The aggregated metric conceals the concentration of vulnerability in the departments that matter most for the attacks that actually occur.
The solution is department-level measurement and department-specific security awareness programs. Organizations that measure click rates by department, that design training specific to the communication patterns and vulnerabilities of each department, and that allocate training resources based on department-level risk rather than uniform organizational programs achieve substantially better security outcomes than organizations treating all departments identically.
Using Department Benchmarks to Design Role-Specific Training
Understanding how your department-level click rates compare to benchmarks should inform several specific program design decisions.
If your sales department click rate is above 30 percent, the immediate opportunity is implementing sales-specific training that acknowledges sales communication patterns rather than treating sales employees as if they should apply strict sender filtering that would prevent them from doing their jobs effectively. The training should teach verification behaviors that work within sales workflows rather than teaching verification behaviors designed for environments with minimal external communication.
If your finance department click rate is above 16 percent, the concern is elevated vulnerability in a high-stakes target department. Even moderately elevated click rates in finance create material business email compromise risk. The training priority should be BEC-specific awareness and verification protocols for payment-related communications rather than generic phishing scenarios.
If your executive click rate is above organizational average, the strategic risk is disproportionate—executive accounts provide access to the highest-value information and enable the most damaging attacks. Executive-specific training and technical controls should be prioritized over achieving marginal improvements in lower-risk departments.
If your department-level variation is larger than your absolute click rates—if you have departments at 10 percent and departments at 35 percent while organizational average is 22 percent—the program design problem is underinvestment in role-specific training. Uniform training designed for average employees is failing high-vulnerability departments. The solution is developing department-specific training modules that address the actual vulnerabilities present in each function.
PhishSkill tracks click rates by department, role, and seniority level in every simulation, revealing where vulnerability actually concentrates rather than reporting only organizational averages that conceal the departments that attackers target. Because security programs that treat sales and IT identically are failing sales regardless of what the organizational average suggests.
Related Reading
Department-level vulnerability is only part of the picture. To see how click rates vary across sectors, read Phishing Click Rate Benchmarks by Industry. For the specific tactics that target finance departments with BEC, see BEC Attack Success Rate Benchmarks by Industry. To understand how to measure comprehensive security culture across departments, see Security Culture Measurement for CISOs.
More from the Blog
View all blog articles
GenAI and ChatGPT Data Leakage: What UAE Employees Must Know Before Typing Anything
UAE employees pasting confidential client data into ChatGPT and other GenAI tools risk PDPL violations and data leakage. A guide to risks, controls, and AI usage policy.
Eid Al Fitr and Eid Al Adha Cyber Scams: How Criminals Exploit Festive Seasons in the UAE
Cybercriminals exploit Eid Al Fitr and Eid Al Adha in the UAE with phishing, fake charity fraud, BEC, and gift card scams. Here is how to defend.
Security Awareness Training ROI Benchmarks: What Other Organizations Actually Measure and Achieve
Finance organizations report 4.5x average ROI on security awareness training. Healthcare reports 6.2x. But 67% of organizations cannot calculate ROI at all because they do not measure the outcomes that matter. Industry data reveals what high-performing programs measure, what they achieve, and how they build business cases that win budget.
Ready to stop phishing attacks?
Run realistic phishing simulations and high-impact security awareness training with PhishSkill's automated platform.