By Rob Rashotte, vice president of the Fortinet Training Institute

As we look at cybersecurity today, it’s not surprising that 87% of enterprises experienced at least one breach last year attributed to the cyber skills gap. Today’s cybersecurity professionals face a variety of ongoing challenges from a sophisticated threat landscape to ever-changing compliance regulations to the ongoing skills shortage. Meanwhile, cyber criminals are simultaneously advancing their efforts. Business leaders worry that these emerging attack tactics, particularly those involving AI, will be more difficult to spot and block than “traditional” cyber attacks.

When it comes to cyber incidents, the stakes are increasingly high. Breaches consume time and money and corporate leaders are increasingly held accountable when incidents occur. According to the Fortinet 2024 Cybersecurity Skills Gap Report, 51% of respondents said directors or executives in their organisations face fines, jail time and loss of position or employment after a successful attack. Cybersecurity is also under greater scrutiny at board level with 72% of respondents indicating their board members are more focused on cybersecurity than in the prior year. With security teams navigating more internal and external pressures, it’s clear organisations need an “all-hands-on-deck” approach to risk management.

During Cybersecurity Awareness Month, celebrated every October, organisations are reminded that cybersecurity is everyone’s job – not just the security team’s – and employees play a part in safeguarding the organisation.

Everyone has a role to play in protecting the organisation

A skilled team of professionals and the right security technologies are vital aspects of protecting any enterprise yet employees are among the best defences against malicious actors. When equipped with proper knowledge, employees can serve as a solid first line of defence against cybercrime. Considering that 81% of organisations experienced cybersecurity incidents last year such as malware, phishing and password attacks that directly targeted users, helping employees become more cyber aware is crucial.

Cybersecurity awareness training should be part of every enterprise’s risk management strategy. The good news is that organisational leadership is increasingly prioritising cybersecurity education. According to the Fortinet 2024 Security Awareness and Training Global Report, 96% of executives believe more training and awareness would help reduce cyber attacks. Of those executives whose organisations already have a security training and awareness programme, 89% reported improvements to their security posture after implementing these initiatives.

What should cybersecurity training include?

Whether you’re developing a cybersecurity awareness training programme for the first time or reimagining an existing initiative, defining the effort’s goals is a great place to begin.

Next, decide on the training format and delivery schedule. Socialise these ideas with colleagues on other teams and ask for their feedback. This is a great way to refine your plan and identify individuals from different departments who can champion the effort throughout the organisation.

Every cybersecurity awareness training programme should be unique and include content tailored to business needs yet there are core pieces of cybersecurity knowledge every individual should possess regardless of the industry or organisation. Essential topics to cover in training include:

• Passwords: Using strong passwords is vital for protecting personal and financial information from cyber criminals. Training should cover tips on how to create passwords that are difficult to crack as well as how and why to use a password manager.
• Multi-factor authentication (MFA): MFA offers individuals another layer of protection against cybercrime. If your security team has already deployed MFA, employees should understand why it’s effective and how to use it.
• Social engineering attacks including phishing: Phishing is the top tactic bad actors use to infiltrate corporate networks and launch attacks involving ransomware and malware. All employees should understand how to recognise social engineering attempts and the steps to take if they think they’re a target.
• Software updates: One of the easiest ways to reduce the risk of falling victim to cybercrime is to keep software and applications updated. Employees should know why it’s important to patch quickly and the organisation’s policy on software updates.

As the threat landscape intensifies, there’s no better time to create or re-evaluate your cybersecurity awareness and training programme. Involving the entire organisation in cybersecurity efforts benefits everyone.