Professional Documents
Culture Documents
Global Research
Brief
Fortinet 2023 Security Awareness and Training Global Research Brief
Contents
03 Methodology
13 Conclusion
14 About Fortinet
02
Fortinet 2023 Security Awareness and Training Global Research Brief
Methodology
The findings of this report are based on an online interview and an Total respondents: 1,855
email survey of 1,855 IT and cybersecurity decision makers conducted APAC 30%
by Sapio Research in November 2022. Responses were collected from EMEA 27%
29 locations: Argentina, Australia, Brazil, Canada, Colombia, France, North America 22%
Germany, Hong Kong, India, Indonesia, Israel, Italy, Japan, Malaysia,
LATAM 22%
Mexico, the Netherlands, New Zealand, People’s Republic of China, the
Philippines, Singapore, South Africa, South Korea, Spain, Sweden, Taiwan,
Thailand, United Arab Emirates, United Kingdom, and the United States.
Overall results are accurate to ± 2.3% at 95% confidence limits. Role Type
13% of respondents held Owner positions
Size of Company 34% of respondents held C-level Executive positions
100-499 employees – 25% 7% of respondents held Vice President positions
500-999 employees – 23% 12% of respondents held Head positions
1,000-2,499 employees – 23% 34% of respondents held Director positions
2,500-4,999 employees – 15%
5,000+ employees – 14%
Business Sector
Company Sectors – Top 3
Gender
21% Technology
68% of respondents were male
16% Manufacturing
32% of respondents were female
13% Financial Services
03
Fortinet 2023 Security Awareness and Training Global Research Brief
INTRODUCTION
04
Fortinet 2023 Security Awareness and Training Global Research Brief
Executive Summary
05
Fortinet 2023 Security Awareness and Training Global Research Brief stnenopmoC dnarB / senilediuG d
06
Fortinet 2023 Security Awareness and Training Global Research Brief
Nearly all organizations surveyed had experienced at With the cost of breaches exceeding $1 million for close to half of
least one cybersecurity breach in the past 12 months. responding organizations, equipping employees to recognize, avoid,
and report cyber threats seems key.
Almost a third had experienced five or more. A common
characteristic of many of the cyberattacks that occurred
Most common attacks reported by organizations
in 2022, was that they targeted users directly, such as
phishing schemes, or capitalized on weak cyber hygiene Phishing attacks including whale
to compromise passwords and credentials. phishing and spear phishing attacks, 81%
password and malware attacks
While malware was the most common type of attack used in the past Other types of
19%
12 months, phishing might be the most insidious, often housing other cyberattacks experienced*
Digging Deeper
• 8
4% of organizations surveyed • 29% had five or more, up from 19%. • 6
5% of leaders expect an average 20%
experienced at least one cybersecurity increase in cyberattacks over the next
• And 7% had more than 9, up from just 3%.
breach in the past 12 months, up from 12 months.
80% the year before.
07
Fortinet 2023 Security Awareness and Training Global Research Brief
08
Fortinet 2023 Security Awareness and Training Global Research Brief
Eighty-five percent of leaders say their organization has a Where cybersecurity awareness matters most
security awareness and training program, yet more than half
Keeping sensitive data and systems
believe their employees still lack cybersecurity knowledge. secure while working remotely 68%
This disconnect seems to suggest the training programs in place are Protecting sensitive data 64%
not as effective as they could be, that cyber hygiene practices are Knowing how to avoid threats
delivered via email, SMS and voice 59%
applied inconsistently, or that training is not reinforced sufficiently,
which analysts consider to be key to building an effective Avoiding internal and external threats 56%
cybersecurity culture.
Keeping mobile devices secured 52%
Leaders say that protecting sensitive data and systems when working Knowing how to avoid threats
from social engineers
51%
remotely is the most important aspect of cybersecurity awareness for
employees, followed closely by protecting sensitive data in general. None of the above 1%
Digging Deeper
• 56% of leaders believe their employees lack • 73% of organizations without a training • 5
9% of leaders say it’s reasonable for
knowledge when it comes to cybersecurity program are looking for one, an increase employees to spend one to three hours
awareness, up from 52% in 2021. That’s from 66% in 2021. per year in cybersecurity training.
despite 85% having a security awareness
• 93% of leaders believe greater employee • 68% of leaders say it’s most important for
and training program in place.
cybersecurity awareness would help employees to know how to keep sensitive
reduce cyberattacks. data and systems secure while working
remotely.
09
Fortinet 2023 Security Awareness and Training Global Research Brief
Regional Highlights
57%
North America
88%
59% 57%
55%
Latin America
82%
53%
EMEA
83%
55% 53%
Those concerned their employees lack cybersecurity awareness
Organizations with training programs
10
Fortinet 2023 Security Awareness and Training Global Research Brief
A resounding 93% of leaders with a direct line to a Boards of directors are asking about cybersecurity
board of directors say their boards are asking about
the organizations’ cyber defenses. 6% 2%
87% size 100 – 499 vs.
It is reasonable to take this as a sign that boards are serious about 96% size 1000 – 2499
their responsibilities to manage corporate risk and protect the brand,
and that they are aware of the increase in attacks and breaches.
Since many attacks target users, it seems likely that boards see—
or will soon see—that employee cybersecurity awareness is a
critical part of the “defense equation”. Ninety-three percent of leaders Yes
Asked only to those organizations whose boards of directors are asking about how their organizations are
*
Digging Deeper
• Board interest in cybersecurity is • Board interest in security is largely
increasing—up to 93% in this current consistent across industries, though
survey from 88% as reported in Fortinet’s somewhat higher in financial services,
2022 Cybersecurity Skills Gap Report. healthcare, and telecommunications
(94–95%) than in education, media,
and entertainment (88%).
11
Fortinet 2023 Security Awareness and Training Global Research Brief
Regional Highlights
94% 92%
92% 92%
*
Asked only to those organizations whose boards of directors are asking about how their organizations are protecting
themselves against the increase in cyberattacks.
12
Fortinet 2023 Security Awareness and Training Global Research Brief
Conclusion
majority of organizations have programs in place. Yet over half of all
leaders surveyed are still concerned that their employees lack cyber-
security awareness. A critical evaluation of security awareness and
With 84% of leaders reporting at least one cyber breach
training programs may reveal opportunities to address the human
in the last 12 months—and nearly half citing a total cost
element of cybersecurity more effectively, thereby reducing the overall
of breaches above $1 million—it is vital for organizations risk. Taking steps to ensure programs sufficiently cover a broad range
to keep strengthening their cyber defenses. Organizations of topics in a practical way, and to ensure that learning is reinforced
need to develop an all-encompassing approach to cyber- with reminders and checks, should help improve training outcomes.
security, one that includes sophisticated, automated
solutions; expert teams; and—as these survey results show— Boards of directors are focused on cybersecurity.
an effective security awareness and training program. With a solid training program, organizations can raise employees cyber-
risk awareness and empower them to defend the organization, laying
Employees are an essential line of defense. the foundation for a strong and ready cybersecurity culture. This may
Since many of the most common types of cyberattacks—phishing resonate with corporate boards of directors who, as this year’s survey
schemes, certain forms of malware, and password attacks—target results show, are increasingly concerned about cybersecurity, and will
users directly, low employee cybersecurity awareness likely weakens likely focus on the human element going forward—recognizing that it
an organization’s overall security posture significantly. Conversely, plays an essential role in protecting business interests and the reputation
effective cybersecurity awareness and training programs can improve of the corporate brand.
security posture, adding extra layers of protection to an organization. Organizations know that they need advanced cybersecurity solutions,
Leaders seem to recognize this, with 93% responding that they believe and that technology certifications build the cybersecurity capabilities of
greater employee training and awareness would help decrease the their IT teams. To date, employee awareness may not have received the
frequency of cyberattacks. full attention it deserves, yet it could prove pivotal in the fight against
cyberattacks in the years to come.
Training needs reinforcement. You can find a broader and more detailed view of organizations’
Cybersecurity awareness and training programs are widely recognized cybersecurity needs and challenges in Fortinet’s 2023 Cybersecurity
methods of reinforcing employee cyber culture. Not surprisingly, the Skills Gap Global Research Report.
13
Fortinet 2023 Security Awareness and Training Global Research Brief
About Fortinet
The Fortinet Training Institute, one of the largest and broadest training
programs in the industry, is dedicated to making cybersecurity training
and new career opportunities available to everyone. FortiGuard Labs,
Fortinet’s elite threat intelligence and research organization, develops
and utilizes leading-edge machine learning and AI technologies to
provide customers with timely and consistently top-rated rated protection
and actionable threat intelligence. Learn more at https://www.fortinet.com,
the Fortinet Blog, and FortiGuard Labs.
14
www.fortinet.com
Copyright © 2023 Fortinet, Inc. All rights reserved. Fortinet ® , FortiGate® , FortiCare® and FortiGuard ® , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered
and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal
conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by
Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the
identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet.
For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether
express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
May 2023