7 in 10 firms lament workers’ lack of basic cybersecurity sense


Increased employee-wide cyber awareness is linked with decreased organisational risk according to new research from Fortinet.

“As threat actors harness new technologies like AI to augment the sophistication of their attacks, it’s increasingly crucial that employees are a robust first line of defense,” said John Maddison, Chief Marketing Officer at Fortinet.

The survey was conducted among 1,8500 executive-level and management-level professionals from 29 markets, including Hong Kong, Indonesia, Malaysia, the Philippines, Taiwan, Thailand and Singapore.

Findings show that as malicious actors use AI to increase the volume and velocity of their attacks, leaders believe these threats will be harder for their employees to spot. More than 60% of respondents expect more employees to fall victim to attacks in which cybercriminals use AI. 

However, most respondents (80%) also say enterprise-wide knowledge of AI attacks has made their organisations more open to implementing security awareness and training.

Employees can be a firm’s first line of defense, but leaders are increasingly worried that their employees lack security awareness. Nearly 70% of those surveyed believe their employees lack critical cybersecurity knowledge, up from 56% in 2023.

Leaders recognise the importance of security awareness training but believe there are specific attributes that make some training programs more effective than others. More than 80% of leaders are satisfied with their enterprise’s existing security awareness and training efforts.

One prominent way in which cybercriminals use AI is to make phishing schemes more believable and harder to detect. Because phishing targets individual users directly, organisations are overwhelmingly focused on teaching employees how to spot and refrain from falling victim to these attacks.

End users remain attractive targets. More than 80% of organisations faced attacks last year such as malware, phishing, and password attacks that directly targeted individuals.

As attacks evolve, security awareness and training will only become more vital. Nearly all (96%) of those surveyed say their leadership team supports security awareness training for employees.

Nearly all respondents (98%) say phishing prevention is a component of their training programs and plans. Other top training priorities include data security (48%) and data privacy (41%).

While security and IT teams are crucial to safeguarding organisations against cyberthreats, an enterprise’s employees also play an important role in preventing breaches.

Employees are open to cybersecurity awareness and training opportunities. Most leaders (86%) say their employees view security awareness and training positively, with 55% saying “very positively.”

Organisations see positive results when they implement security and awareness training programs. An overwhelming majority of leaders (89%) say their organisation saw at least some improvement in its security posture after security awareness and training was implemented, and not a single respondent claimed to see no improvement.

Most organisations are motivated to introduce security awareness and training based on their experience being breached or knowledge of threats in their industry or sector.

Almost all (96%) decision-makers say their leadership team supports implementing training to raise employees’ cybersecurity awareness.

Further, 96% of leaders think increased employee awareness would strengthen the organisation’s cybersecurity posture. Yet respondents also agree that there are key attributes of training programs that are important for effectiveness.

Engaging content is paramount. While 86% of decision-makers say they are satisfied with their current security awareness and training solution, among those not satisfied, the biggest complaint was a lack of engaging content.

Consider the time commitment required. Avoid training fatigue by considering the amount of time required from learners. Demanding too much time from employees can overburden them. Between 1.6 and two hours is the most common amount of time proposed, with three hours as the mean average.

Comments