Everything from digital transformation, increased cloud adoption, and the rise of remote working has elevated the need for employee cybersecurity awareness to a critical priority.
Yet, despite this clear need, 70% of South African organisations have been found to lack even basic cybersecurity awareness, leaving them more vulnerable to cyber threats, according to Fortinet’s 2024 Security Awareness and Training Global Research Report.
Doros Hadjizenonos, regional director at Fortinet, says that cybersecurity awareness should go beyond simply acknowledging that significant cyber threats exist. “Almost everyone knows, to some degree, that cyberthreats have become pervasive. However, we need to move from a position of vague awareness to making more material gains that can help businesses.
“Cybersecurity awareness training should equip employees with practical knowledge to spot and respond effectively to threats. Knowing the threats exist alone doesn’t make employees familiar enough with the tactic’s cybercriminals use, which include well-worded phishing emails and sophisticated social engineering through any form of communication.
“Effective cybersecurity training teaches staff to pre-empt, recognise, and appropriately respond to these threats as and when they arise, which then reduces the likelihood of successful attacks.”
One significant contributing factor to this knowledge gap is the common misconception among businesses – especially smaller enterprises – that they aren’t attractive targets for cyberattacks.
Hadjizenonos says the opposite is true. “Cybercriminals frequently target smaller businesses precisely because they often interface with larger enterprises and serve as entry points into bigger networks of lucrative targets. Even systems perceived as low-risk, like air conditioning or catering services connected to corporate networks, have been successfully and disastrously exploited.”
A particular growing concern for businesses is the rise of AI-driven attacks. Fortinet’s research highlights that 46% of organisations now expect their employees to fall for more attacks in the future because bad actors are using AI.
Although 58% of South African businesses say they are currently not using AI-driven cybersecurity solutions to counter AI-based threats (even as global data indicates over 60% of organisations foresee increased susceptibility to AI-driven attacks) Hadjizenonos notes that AI technology is built into most cybersecurity products and solutions.
“Just as attackers are using AI to exploit vulnerabilities, the good guys are using AI to bolster defences. Ultimately, humans are the most vulnerable part of any organisations’ cybersecurity system. Phishing emails used to be fairly easy to identify because they were poorly worded and contained multiple spelling errors – but nonetheless led to successful breaches for decades. Now they’re drastically more difficult to identify as AI-generated emails and deep-fake media have reached levels of realism that leave almost no one immune.”
While the risks are clear, barriers to implementing cybersecurity training persist. Limited personnel resources (36%) and restricted budgets (34%) are cited as the biggest challenges for local businesses.
“The investment required for effective security training is minimal compared to the significant financial and reputational damage caused by cyber incidents,” explains Hadjizenonos, referring to Fortinet’s survey finding that 70% of local respondents saw significant improvement in their organisation’s security posture after training implementation.
Interactive training programs, especially those incorporating simulations, significantly enhance the engagement and efficacy of cybersecurity awareness and training efforts. Perhaps most crucial of all is leadership’s role in fostering a cybersecurity-conscious culture, with IT leaders (72%), CEOs (68%), and Security Leaders (52%) identified as primary champions for cybersecurity awareness initiatives.
“Cybersecurity needs to be driven from the top down, layer by layer. Given the potential impacts on a company’s brand and future earnings, cybersecurity is certainly not something that can be taken lightly. It’s a board-level concern, and it has to be driven from there,” adds Hadjizenonos.
Seventy percent of South African respondents reported significant improvements in their cybersecurity-posture within their organisations, post-training. Even though the survey found that 60% of South African businesses deliver cybersecurity training monthly, above the global average of 34%, they allocate slightly fewer annual training hours (2,87 hours) than the global average (3,29 hours), suggesting room for improvement.