Nearly 70% of Firms Face Employee Cybersecurity Knowledge Gap

Nearly 70% of organizations recognize that their employees lack fundamental cybersecurity knowledge, posing a significant risk amid the increasing sophistication of threats driven by emerging technologies. These results, presented in Fortinet’s 2024 Global Cybersecurity Awareness and Training Report, highlight the importance of a cyber-aware workforce to effectively manage and mitigate organizational risks.

“Threat actors are leveraging artificial intelligence (AI) and other emerging tools to increase the sophistication and credibility of their attacks, making it essential for employees to be the first line of defense,” said John Maddison, CMO of Fortinet, adding that continuous training is key to building an organizational culture of cyber resilience.

The report also points out that 60% of business leaders surveyed expect a rise in employee-targeted attacks, with cybercriminals using AI to design more sophisticated and harder-to-detect deception tactics, such as identity theft and phishing. This growing use of AI enables more convincing campaigns that directly target end users—now the primary cause of targeted attacks, affecting over 80% of surveyed organizations in recent years.

Although most organizations recognize the importance of cybersecurity training, leaders admit that some programs are more effective than others. According to the report, 75% of company leaders surveyed plan to conduct awareness campaigns that deliver content periodically, either monthly or quarterly. As the report states, “[e]mployee engagement, along with the clarity and quality of the training content, are directly correlated and are essential factors for effective awareness.”

In response to the evolving threat landscape, 96% of organizations reported strong support from their leadership teams for cybersecurity training programs. Additionally, 98% of leaders indicated that they had included identity theft prevention as a key component in their training programs, alongside data security and privacy protection. This comprehensive approach aims to equip employees to identify and prevent attacks before they escalate.

The implementation of training programs has shown the most promising results concerning the effectiveness of protective measures, with 89% of leaders reporting improvements in their organizations’ security posture. However, areas for improvement were also identified, especially in designing more dynamic content and managing training time. In this regard, Fortinet recommends limiting training sessions to a maximum of one to two hours to avoid overloading employees.

The report concludes that cybersecurity training is a vital component for any organization seeking to mitigate cyber risks, emphasizing that: “In addition to having advanced technological solutions, creating a culture of cybersecurity requires a systematic approach that includes continuous employee education and the implementation of effective threat identification strategies.”