Fortinet report finds nearly 70 per cent of organisations say their employees lack fundamental security awareness

New research highlights the connection between increased organisation-wide cyber awareness and decreased organisational risk 

John Maddison, chief marketing officer, Fortinet, said, “As threat actors harness new technologies like artificial intelligence (AI) to augment the sophistication of their attacks, it’s increasingly crucial that employees serve as a robust first line of defence. Fortinet’s new research underscores the importance of creating a culture of cybersecurity and the need to deploy organisation-wide security awareness and training. These findings reinforce the importance of our award-winning Security Awareness and Training service for enterprises, including the free educational version available at no cost to primary and secondary schools around the world, and its role in strengthening cyber resilience.” 

News summary 

Fortinet® (NASDAQ: FTNT), the global cybersecurity leader driving the convergence of networking and security, has released its annual 2024 Security Awareness and Training Global Research Report, highlighting the crucial role a cyber-aware workforce plays in managing and mitigating organisational risk.  

Key findings from the global report include: 

• As malicious actors use AI to increase the volume and velocity of their attacks, leaders believe these threats will be harder for their employees to spot. More than 60 per cent of respondents expect more employees to fall victim to attacks in which cybercriminals use AI. However, the good news is that most respondents (80 per cent) also say enterprise-wide knowledge of AI-augmented attacks has made their organisations more open to implementing security awareness and training. 

• Employees can be an organisation’s first line of defence, but leaders are increasingly worried that their employees lack security awareness. Nearly 70 per cent of those surveyed believe their employees lack critical cybersecurity knowledge, up from 56 per cent in 2023. 

• Leaders recognise the importance of security awareness training but believe specific attributes make some training programs more effective than others. Three-quarters of leaders say they plan their security awareness campaigns, delivering content monthly (34 per cent) or quarterly (47 per cent). Executives also point to high-quality content playing a leading role in the success or failure of the program.  

The latest threats that employees must battle 

One prominent way cybercriminals use AI is to make phishing schemes more believable and harder to detect. Because phishing targets individual users directly, organisations are heavily focused on teaching employees how to recognise and avoid falling victim to these attacks. 

• End-users remain attractive targets. More than 80 per cent of organisations faced attacks last year, such as malware, phishing, and password attacks that directly targeted individuals. 

• As attacks evolve, security awareness and training will only become more vital. Nearly all (96 per cent) of those surveyed say their leadership team supports employee security awareness training. 

• Nearly all respondents (98 per cent) say phishing prevention is a component of their training programs and plans. Other top training priorities include data security (48 per cent) and privacy (41 per cent). 

Employees can serve as a strong first line of defence against attacks 

While security and IT teams are crucial to safeguarding organisations against cyberthreats, an enterprise’s employees also play an important role in preventing breaches. 

• Employees are open to cybersecurity awareness and training opportunities. Most leaders (86 per cent) say their employees positively view security awareness and training. 

• Organisations see positive results when they implement security and awareness training programs. An overwhelming majority of leaders (89 per cent) say their organisation saw at least some improvement in its security posture after security awareness and training were implemented. Not a single respondent claimed to see no improvement. 

Cyber awareness training is vital, but not all programs are created equal 

Most organisations are motivated to introduce security awareness and training based on their experience of being breached or knowledge of threats in their industry or sector. Almost all decision-makers (96 per cent) say their leadership team supports implementing training to raise employees’ cybersecurity awareness. 

According to this year’s survey, 97 per cent of leaders think increased employee awareness would strengthen the organisation’s cybersecurity posture. Yet respondents also agree that there are key attributes of training programs that are important for effectiveness. 

• Engaging content is paramount. While 86 per cent of decision-makers say they are satisfied with their current security awareness and training solution, the biggest complaint was a lack of engaging content among those not satisfied. 

• Consider the time commitment required. Avoid training fatigue by considering the amount of time required from learners. Demanding too much time from employees can overburden them. Between 1.1 and 2.0 hours is the most common time proposed, with three hours as the average. 

Develop a cyber-aware workforce with the Fortinet Security Awareness and Training service 

One breach incident alone has significant repercussions for a business. It is vital to build a three-pronged defence strategy that includes security awareness and training for all employees, technical cybersecurity skills for IT and security staff, and advanced security solutions for the network. 

Beyond teaching individuals what to do when they encounter threats, awareness and training lay the foundation for creating a culture of cybersecurity throughout the organisation. Fortinet offers its Security Awareness and Training service to businesses that want to develop a cyber-aware workforce. Designed by the Fortinet Training Institute’s world-class trainers, this service covers a broad range of topics, offers content customisation opportunities, and reinforces learnings with periodic reminders and checks. Organisations using the service also have access to a variety of dashboards to track learner progress and reporting to address cyber insurance and compliance needs.  

About the Fortinet Cyber Awareness survey: 

The survey was conducted among more than 1,850 executive-level and management-level professionals from 29 different countries at organisations with security awareness and training. 

• Survey respondents came from a range of industries, including manufacturing (17 per cent), financial services (13 per cent), and technology and professional services (11 per cent). 

Additional resources 

• Learn about Fortinet’s free cybersecurity training, which includes broad cyber awareness and product training. As part of the Fortinet Training Advancement Agenda (TAA), the Fortinet Training Institute also provides training and certification through the Network Security Expert (NSE) Certification, Academic Partner, and Education Outreach programs. 

• Visit fortinet.com/trust to learn more about Fortinet innovation, collaboration partners, product security processes, and enterprise-grade products. 

• Learn more about FortiGuard Labs threat intelligence and research and Outbreak Alerts, which provide timely steps to mitigate breaking cybersecurity attacks. 

• Learn more about Fortinet’s FortiGuard Security Services portfolio. 

• Read about how Fortinet customers are securing their organisations. 

• Follow Fortinet on X, LinkedIn, Facebook, and Instagram. Subscribe to Fortinet on our blog or YouTube. 

About Fortinet 
Fortinet (NASDAQ: FTNT) is a driving force in the evolution of cybersecurity and the convergence of networking and security. Our mission is to secure people, devices, and data everywhere, and today we deliver cybersecurity everywhere you need it with the largest integrated portfolio of over 50 enterprise-grade products. Well over half a million customers trust Fortinet’s solutions, which are among the most deployed, most patented, and most validated in the industry. The Fortinet Training Institute, one of the largest and broadest training programs in the industry, is dedicated to making cybersecurity training and new career opportunities available to everyone. Collaboration with esteemed organisations from both the public and private sectors, including CERTs, government entities, and academia, is a fundamental aspect of Fortinet’s commitment to enhance cyber resilience globally. FortiGuard Labs, Fortinet’s elite threat intelligence and research organisation, develops and utilises leading-edge machine learning and AI technologies to provide customers with timely and consistently top-rated protection and actionable threat intelligence. Learn more at https://www.fortinet.com, the Fortinet blog, and FortiGuard Labs. 

Copyright © 2024 Fortinet, Inc. All rights reserved. The symbols ® and ™ denote respectively federally registered trademarks and common law trademarks of Fortinet, Inc., its subsidiaries and affiliates. Fortinet’s trademarks include, but are not limited to, the following: Fortinet, the Fortinet logo, FortiGate, FortiOS, FortiGuard, FortiCare, FortiAnalyzer, FortiManager, FortiASIC, FortiClient, FortiCloud, FortiMail, FortiSandbox, FortiADC, FortiAI, FortiAIOps, FortiAntenna, FortiAP, FortiAPCam, FortiAuthenticator, FortiCache, FortiCall, FortiCam, FortiCamera, FortiCarrier, FortiCASB, FortiCentral, FortiConnect, FortiController, FortiConverter, FortiCWP, FortiDB, FortiDDoS, FortiDeceptor, FortiDeploy, FortiDevSec, FortiEdge, FortiEDR, FortiExplorer, FortiExtender, FortiFirewall, FortiFone, FortiGSLB, FortiHypervisor, FortiInsight, FortiIsolator, FortiLAN, FortiLink, FortiMoM, FortiMonitor, FortiNAC, FortiNDR, FortiPenTest, FortiPhish, FortiPlanner, FortiPolicy, FortiPortal, FortiPresence, FortiProxy, FortiRecon, FortiRecorder, FortiSASE, FortiSDNConnector, FortiSIEM, FortiSMS, FortiSOAR, FortiSwitch, FortiTester, FortiToken, FortiTrust, FortiVoice, FortiWAN, FortiWeb, FortiWiFi, FortiWLC, FortiWLM and FortiXDR. Other trademarks belong to their respective owners. Fortinet has not independently verified statements or certifications herein attributed to third parties and Fortinet does not independently endorse such statements. Notwithstanding anything to the contrary herein, nothing herein constitutes a warranty, guarantee, contract, binding specification or other binding commitment by Fortinet or any indication of intent related to a binding commitment, and performance and other specification information herein may be unique to certain environments.