Challenging the Norm: Three Hours of Security Awareness Training Falls Short in the Face of Rising Cyberattacks

New data shows that even with most organizations experiencing cyberattacks, three hours of security awareness training simply isn’t enough.

There’s a bit of a misunderstanding about what “Security Awareness Training” is. According to new data in Fortinet’s 2023 Security Awareness and Training Global Research Brief, nearly 60% of organization leadership think that just three hours a year of security training is enough, with more than two-thirds of them (68%) thinking that it’s most important for employees to know how to keep sensitive data and systems secure while working remotely.

According to the report, these same organizations haven’t been doing so well in the fight against cyberattacks:

• 56% of leaders believe their employees lack knowledge when it comes to cybersecurity awareness, despite 85% having some form of security awareness training program in place
• 84% of organizations surveyed experienced at least one cybersecurity breach in the past 12 months, with 29% experiencing five or more in the same timeframe
• 81% of the attacks experienced were phishing, password, and malware attacks

Organizations know they’re being bombarded with phishing attacks, they believe their users aren’t security aware, and somehow three hours a year is enough training?

The threat landscape is continually changing, and if you want your users to act as part of the cybersecurity solution for your organization, a few hours of security awareness training a year isn’t going to get the job done. Instead, invest in a security awareness training solution that includes both training campaigns and simulated phishing attacks to test your users, assess their knowledge, and improve your organization’s human firewall.

Information used in this article was provided by our partners at KnowBe4.