The rise of digital transformation, cloud adoption, and remote work has made employee cybersecurity awareness a critical priority. However, 70% of South African businesses lack even basic cybersecurity awareness, leaving them exposed to growing threats, according to Fortinet’s 2024 Security Awareness and Training Global Research Report.
Doros Hadjizenonos, Regional Director at Fortinet, emphasises that awareness must go beyond simply recognizing the existence of cyber threats.
“Almost everyone knows, to some degree, that cyberthreats have become pervasive. However, we need to move from a position of vague awareness to making more material gains that can help businesses,” he warns.
“Cybersecurity awareness training should equip employees with practical knowledge to spot and respond effectively to threats. Knowing the threats exist alone doesn’t make employees familiar enough with the tactic’s cybercriminals use, which include well-worded phishing emails and sophisticated social engineering through any form of communication.
“Effective cybersecurity training teaches staff to pre-empt, recognise, and appropriately respond to these threats as and when they arise, which then reduces the likelihood of successful attacks.”
A key issue is the misconception among smaller businesses that they are not attractive targets for cyberattacks.
Hadjizenonos counters this, stating, “Cybercriminals frequently target smaller businesses precisely because they often interface with larger enterprises and serve as entry points into bigger networks of lucrative targets. Even systems perceived as low-risk, like air conditioning or catering services connected to corporate networks, have been successfully and disastrously exploited.”
The rise of AI-driven attacks is another growing concern. Fortinet’s research reveals that 46% of organisations expect employees to fall victim to more attacks due to AI-powered threats. While 58% of South African businesses admit they are not using AI-driven cybersecurity solutions to counter these threats, Hadjizenonos notes that AI is already integrated into many cybersecurity products.
“Just as attackers are using AI to exploit vulnerabilities, the good guys are using AI to bolster defences. Ultimately, humans are the most vulnerable part of any organisations’ cybersecurity system. Phishing emails used to be fairly easy to identify because they were poorly worded and contained multiple spelling errors – but nonetheless led to successful breaches for decades. Now they’re drastically more difficult to identify as AI-generated emails and deep-fake media have reached levels of realism that leave almost no one immune.”
Despite the clear risks, barriers to implementing cybersecurity training persist, with limited personnel resources (36%) and restricted budgets (34%) cited as the biggest challenges.
Hadjizenonos stresses that the cost of training pales in comparison to the potential damage of a cyber incident.
“The investment required for effective security training is minimal compared to the significant financial and reputational damage caused by cyber incidents,” he explains, referencing Fortinet’s finding that 70% of local respondents saw significant security improvements post-training.
Interactive training programs, particularly those incorporating simulations, are highly effective in boosting engagement and outcomes. Leadership also plays a crucial role, with IT leaders (72%), CEOs (68%), and Security Leaders (52%) identified as key drivers of cybersecurity awareness initiatives.
“Cybersecurity needs to be driven from the top down, layer by layer. Given the potential impacts on a company’s brand and future earnings, cybersecurity is certainly not something that can be taken lightly. It’s a board-level concern, and it has to be driven from there,” adds Hadjizenonos.
While 60% of South African businesses conduct cybersecurity training monthly, above the global average of 34%, they allocate slightly fewer annual training hours (2.87 hours) compared to the global average (3.29 hours), indicating room for improvement.
“Cybersecurity awareness shouldn’t be a once-off exercise but an ongoing initiative that’s consistently refreshed and reinforced,” concludes Hadjizenonos.
