New data shows that even with the majority of organizations experiencing cyber attacks, three hours of security awareness training simply isn’t enough.
There’s a bit of a misunderstanding around what exactly is “Security Awareness Training." According to new data in Fortinet’s 2023 Security Awareness and Training Global Research Brief, nearly 60% of organization leadership think that just three hours a year of security training is enough, with more than two-thirds of them (68%) thinking that it’s most important for employees to know how to keep sensitive data and systems secure while working remotely.
As someone who speaks with C-level leaders, they are completely missing the mark. And the Fortinet data proves it – according to the report, these same organizations haven’t been doing so well in the fight against cyber attacks:
- 56% of leaders believe their employees lack knowledge when it comes to cybersecurity awareness, despite 85% having some form of security awareness training program in place
- 84% of organizations surveyed experienced at least one cybersecurity breach in the past 12 months, with 29% experiencing five or more in the same timeframe
- 81% of the attacks experienced were phishing, password and malware attacks
Organizations know they’re being bombarded with phishing attacks, they believe their users aren’t security aware, and somehow three hours a year (and mostly on data security) is enough training?
I’ve always been an advocate for continual Security Awareness Training with phishing testing to act as the feedback loop for who needs remedial training. Breakroom training quarterly, online training for a few hours every year isn’t going to cut it. The threat landscape is continually changing, and if you want your users to act as part of the cybersecurity solution for your organization, a few hours of security awareness training a year isn't going to get the job done.
