Threat actors will always find nefarious uses for new technologies, and AI is no exception. Attackers are primarily using AI to enhance the volume and velocity of their attacks. They’re also using the technology to make phishing communications more believable with perfect grammar and context-aware personalization.
As cybercriminals harness new technologies to advance their operations, it’s no longer a matter of “if” an organization will suffer a breach but “when.” It’s no surprise that nearly 90% of organizations experienced one or more cyber incidents last year. When breaches do occur, the stakes are higher than ever: 63% of executives indicate it took more than a month to recover from an attack, and 53% say breaches cost them more than $1 million in lost revenue, fines, and other expenses.
While a cyber incident can rarely be attributed to a single cause, security and IT leaders agree that several factors increase the likelihood of an enterprise experiencing a breach, including a lack of general security awareness among employees (56%).
Organizations predictably emphasize the security and IT teams’ roles in safeguarding the enterprise’s assets, but an equally important yet often overlooked component of risk management is employee cyber awareness. Malware, phishing, and web attacks combined account for 80% of all attacks throughout the year—these attack types all target individual users directly. Employees can serve as a solid first line of defense against attacks but only when equipped with the proper knowledge, making cybersecurity training and awareness initiatives table stakes.
Executives worry employees will fall victim to AI-influenced attacks
According to a recent Fortinet survey, more than 80% of organizations have existing security awareness training programs. Yet as technology like AI becomes increasingly prevalent and attackers use it to enhance their techniques, executives need to ensure that their organization’s cyber awareness programs are covering current topics. This is especially important as cybercriminals harness new technologies and novel threats emerge.
Many executives are concerned about the influence of AI on cybercrime, with more than 60% of leaders expecting their employees to fall victim to attacks in which threat actors use AI. This awareness is, for the most part, resulting in action. Nearly all (96%) of those surveyed said their security teams are researching, implementing, or already have incident response plans that focus on mitigating AI-related threats. To help employees become more cyber aware, leaders indicated that phishing prevention is already part of their training programs and plans. Leaders prioritized data security (48%) and privacy (41%) in these initiatives as well.
Cyber training and awareness programs are vital to managing risk
Regular training and awareness are imperative to building a cyber-aware culture. There is no one-size-fits-all approach to cybersecurity awareness and education, and each enterprise must create a program that meets its unique needs. Some organizations have the in-house resources necessary to create and maintain their own cyber education programs, while others opt for vendor-created, SaaS-based training programs.
Research shows that 96% of executives believe more organization-wide training and awareness will help reduce cyberattacks, and an overwhelming majority (89%) say their organization saw at least some improvement in its security posture after security awareness and training were implemented. This awareness undoubtedly benefits enterprises but is also valuable for employees in their personal lives.
Considerations for a successful cyber awareness and training program
Whether executives are developing a new cyber education effort or refreshing an existing program, there are key attributes to consider that will increase the endeavor’s chances of being successful.
- Define the program objectives. Leaders often assume that introducing a security awareness initiative will automatically alter user behavior, but that is rarely the case. Creating and communicating a vision for the program is essential to gaining buy-in across the enterprise. Employees will be more responsive to and enthusiastic about the effort if they understand its objectives and how the training will benefit them.
- Identify champions throughout the organization. While the organization’s CISO might lead the effort, identify other leaders throughout the enterprise to serve as program champions. Find ongoing opportunities, such as all-hands meetings, for these individuals to share from their own perspective why the initiative is valuable.
- Continually review and refresh the content. As new technologies and fresh threats emerge, it’s vital to periodically review the program content to ensure the appropriate topics are covered. While every program should address key areas of concern—like phishing, social engineering, data privacy, and more—every enterprise will require unique educational material based on industry- and organization-specific needs.
- Creating a culture of cybersecurity. Cybercriminals are only scratching the surface when it comes to using technologies like AI to their advantage. Security awareness and training programs offer a vital way to stay ahead of these adversaries.
As the threat landscape evolves, security and IT teams will increasingly need to collaborate across the entire organization to effectively protect the enterprise. Creating a culture of cybersecurity with a foundation of cyber awareness is one of the best—and most effective—defenses against clever attackers and emerging technologies.
[call to action]
Learn more about Fortinet Cloud Security Solutions.
[content tag]
Cloud security
