Every year on 8 September, International Literacy Day reminds us of the transformative power of reading and writing.
But there’s another form of literacy that is just as vital: digital literacy, writes Martin Potgieter, regional chief technology officer at Integrity360.
Just as traditional literacy is the foundation for all learning, digital literacy is the foundation for an effective cybersecurity defence.
When employees and individuals aren’t equipped with even just basic digital literacy, it becomes much harder to recognise a threat actor at work, even with cybersecurity awareness training. Think of it as teaching someone to read without teaching them the alphabet first.
Digital literacy can help one understand how threat actors work at a fundamental level, so you can recognise and respond to potential incidents, not just the ones you’ve been trained to spot.
When users understand the environments, they operate in and the technology they use, even in simple terms, they’re better equipped to defend themselves. It’s less about deep technical expertise and more about grasping core concepts to adapt to evolving threats – and recognising a lacking core understanding can be harder than one expects.
Digital literacy versus being ‘tech-savvy’
It’s important to distinguish between being ‘tech-savvy’ and possessing true digital literacy. While tech-savvy individuals might be comfortable using new applications, digital literacy delves deeper, focusing on understanding the underlying mechanisms of online interactions and potential risks.
We often tell our clients that good cybersecurity doesn’t just involve equipping your organisation with the latest technology. According to the GTIA, 76% of breaches are considered preventable and involve human error, which tells us that the first step any organisation should take to improve their defensive posture is to start with comprehensive training and regular discussions.
One of the biggest risks comes from users ignoring security messages because they’ve been conditioned to click past them. Sometimes platforms generate unnecessary warnings, leading IT teams to advise employees to disregard them – a habit that can carry over into situations where alerts really do matter.
Another common gap is not fully understanding core security tools. Take one-time passwords (OTPs). If someone doesn’t know what they are or why they must be kept secret, it’s much easier for a scammer to trick them into giving one away.
The danger is compounded by a false sense of safety that can be fuelled by a lack of understanding that makes basic security measures seem like a box-ticking exercise instead of an individual responsibility that is justified. As I’ve seen time and again, small organisations often assume, for instance, that having an antivirus or firewall is enough, or that they’re too small to be targeted.
But attackers increasingly work in bulk, going after many smaller targets for smaller pay-offs. It’s not always about landing a big crypto ransomware payment. Some hackers are content with a few hundred rands in gift cards.
But if the attack works, they’ll try it again. And if a victim’s learning from the incident is based solely on the characteristics of the specific incident, the ability to identify different versions isn’t necessarily improved – and could indicate a problem with their basic digital literacy.
Why ‘training-first’ falls short
Security awareness training is essential, but it often assumes a baseline of digital literacy that doesn’t exist for every employee. That’s why I believe organisations should first ensure employees understand the fundamentals, like the safe use of VPNs, recognising legitimate URLs, or managing passwords securely. Without this, training becomes a band-aid solution, addressing symptoms on a case-by-case basis, but not the root cause of vulnerability.
You need to make sure that your employees are included in your cybersecurity solutions and can have a chance to put their knowledge into practice through phishing simulations they understand are useful, not patronising.
Encourage employees to ask questions about suspicious emails or alerts without fear of embarrassment and have clear incident reporting mechanisms. When people hide what they don’t know or aren’t even just equipped to realise what they don’t know, vulnerabilities go unnoticed.
By normalising open conversations about security, you make it easier to spot and stop threats early. At Integrity360, we have a WhatsApp group where people post real examples of scam attempts, giving them an opportunity to learn from one another – it’s almost an element of fun or amazement that builds engagement.
The hidden costs of digital illiteracy
Digital literacy isn’t just about risk reduction: it can also boost efficiency. Whether it’s knowing how to use AI tools effectively or simply creating a better formula in Excel, these skills save time and reduce frustration.
Consider the hours lost when employees struggle to fully utilise spreadsheet functions, or when they can’t discern valuable AI applications from time-wasting novelties. These are benefits no organisation should overlook, making investment in digital literacy a “no-brainer” for improving overall business operations and adaptability.
Strengthening the “human firewall” starts with the fundamentals. When organisations invest in digital literacy, they’re not just protecting themselves from cyber threats, they’re building a more capable, confident, and resilient workforce.