Everything from digital transformation, increased cloud adoption, and the rise of remote working has elevated the need for employee cybersecurity awareness to a critical priority.
Yet, despite this clear need, 70% of South African organisations have been found to lack even basic cybersecurity awareness, leaving them more vulnerable to cyber threats.
This finding comes from Fortinet’s 2024 Security Awareness and Training Global Research Report.
Doros Hadjizenonos, Regional Director at cybersecurity leader Fortinet, said that cybersecurity awareness should go beyond simply acknowledging that significant cyber threats exist.
“Almost everyone knows, to some degree, that cyberthreats have become pervasive. However, we need to move from a position of vague awareness to making more material gains that can help businesses,” Hadjizenonos said.
“Cybersecurity awareness training should equip employees with practical knowledge to spot and respond effectively to threats. Knowing the threats exist alone doesn’t make employees familiar enough with the tactic’s cybercriminals use, which include well-worded phishing emails and sophisticated social engineering through any form of communication,” Hadjizenonos said.
One significant contributing factor to this knowledge gap is the common misconception among businesses, especially smaller enterprises, that they aren’t attractive targets for cyberattacks.
“Cybercriminals frequently target smaller businesses precisely because they often interface with larger enterprises and serve as entry points into bigger networks of lucrative targets. Even systems perceived as low-risk, like air conditioning or catering services connected to corporate networks, have been successfully and disastrously exploited.”
A particular growing concern for businesses is the rise of AI-driven attacks.
Fortinet’s research highlighted that 46% of organisations now expect their employees to fall for more attacks in the future because bad actors are using AI.
Although 58% of South African businesses say they are currently not using AI-driven cybersecurity solutions to counter AI-based threats (even as global data indicates over 60% of organisations foresee increased susceptibility to AI-driven attacks) Hadjizenonos notes that AI technology is built into most cybersecurity products and solutions.
“Just as attackers are using AI to exploit vulnerabilities, the good guys are using AI to bolster defences. Ultimately, humans are the most vulnerable part of any organisations’ cybersecurity system. Phishing emails used to be fairly easy to identify because they were poorly worded and contained multiple spelling errors - but nonetheless led to successful breaches for decades. Now they’re drastically more difficult to identify as AI-generated emails and deep-fake media have reached levels of realism that leave almost no one immune.”
“The investment required for effective security training is minimal compared to the significant financial and reputational damage caused by cyber incidents,” Hadjizenonos further said.
Interactive training programs, especially those incorporating simulations, significantly enhance the engagement and efficacy of cybersecurity awareness and training efforts.
Perhaps most crucial of all is leadership’s role in fostering a cybersecurity-conscious culture, with IT leaders (72%), CEOs (68%), and Security Leaders (52%) identified as primary champions for cybersecurity awareness initiatives.
“Cybersecurity needs to be driven from the top down, layer by layer. Given the potential impacts on a company’s brand and future earnings, cybersecurity is certainly not something that can be taken lightly. It’s a board-level concern, and it has to be driven from there,” Hadjizenonos said.
70% of South African respondents reported significant improvements in their cybersecurity-posture within their organisations, post-training. Even though the survey found that 60% of South African businesses deliver cybersecurity training monthly, above the global average of 34%, they allocate slightly fewer annual training hours (2.87 hours) than the global average (3.29 hours), suggesting room for improvement.
Fortinet offers South African businesses accessible resources, including a freely available introductory cybersecurity course.
This online training equips employees and individuals with fundamental knowledge to effectively spot and respond to cyber threats.
“Cybersecurity awareness shouldn’t be a once-off exercise but an ongoing initiative that’s consistently refreshed and reinforced,” Hadjizenonos added.
BUSINESS REPORT