AI Threats Are Waking Employees Up to Cybersecurity. But Awareness Isn't the Same as Readiness.

Written By The Source Code Editorial

Security awareness training has long been treated as a compliance exercise — something to tick off, not something to measure. That is changing. Fortinet’s 2025 Security Awareness and Training Global Research Report, based on responses from 1,850 senior IT and security decision-makers across 29 countries, paints a picture of an industry that has moved from box-ticking to genuine risk management. The results are encouraging. The gaps, however, remain significant.

At the heart of this year’s findings is a central tension: organisations are investing in training, measuring it, and seeing incidents decline — yet a majority of leaders still feel their workforces are not adequately prepared.

AI is the threat that changed how employees think about training

The most striking finding in the report is how thoroughly AI-driven threats have shifted employee attitudes. Eighty-eight per cent of organisations say that the growing use of AI by malicious actors has increased employee awareness of why security training matters — 47% say it has significantly increased that perception. Threat actors using AI to craft convincing phishing emails, generate deepfake audio, and automate attacks have, in an unintended way, done something that years of internal communications could not: convinced ordinary employees that cybersecurity is personally relevant.

Awareness and readiness, however, are not the same thing. Only 40% of respondents say their employees are highly trained and ready to identify, avoid, and report AI-based cyberthreats. Fifty-eight per cent describe their workforce as moderately or slightly prepared. “AI is accelerating both attacker capabilities and business adoption,” says Melonia Da Gama, Director of Training and Learning Programmes at Fortinet. “At the same time, insider risk is growing. And too many programmes still lose impact because of low completion rates or outdated content.”

Organisations are responding with policy and training in parallel. Ninety-six per cent are implementing or actively researching security policies for generative AI applications and large language models. Fifty-three per cent are training employees on the appropriate use of GenAI tools, while an equal share are using technology to monitor or block sensitive data being shared with AI platforms.

Insider risk is no longer a footnote

External threats — past breaches, industry incidents, and the general threat landscape — remain the primary driver of training adoption, cited by 41% of respondents, down from 52% in 2024. What has shifted considerably is the weight given to internal risk. Twenty-seven per cent of organisations now say they adopted security awareness and training specifically to address insider risk, up from just 4% the previous year.

The training topics organisations prioritise reflect this dual concern. Data security remains the most important area for 51% of respondents, followed by data privacy (43%) and AI-based tools and threats (41%). “Organisations are starting to connect real-world risk with what employees are taught,” Da Gama notes, “rather than treating training as generic compliance content.” The gap between what organisations say they want to cover and what they actually deliver is also closing: 50% report delivering training on data security, 43% on data privacy, and 42% on AI-based tools and threats.

The results are real — but follow-through is failing

Sixty-seven per cent of organisations report moderate or significant reductions in intrusions, incidents, and breaches since implementing security awareness training — a clear validation that the investment is working. Measurement practice is maturing in parallel: the most common indicators are reduced security incidents (53%), employee feedback (52%), and security audits (50%). Many organisations now combine in-person and computer-based training with simulations, assessments, and ongoing reinforcement.

Yet the same report reveals a persistent weakness in execution. Only 6% of organisations report 100% training completion. Just over half (56%) report completion rates above 70%. This matters because 69% of leaders — virtually unchanged from 67% in 2024 — say employees still lack sufficient security awareness. “Training that is not completed, not reinforced, or not kept current as the threat landscape changes cannot deliver its full value,” Da Gama says. “The need for regular micro training is becoming more important to keep up with the advancements in AI.”

The disconnect between investment and outcome is not primarily a quality problem. Eighty-five per cent of decision-makers say they are satisfied with their current training solution. The problem is reach and consistency. Ninety-four per cent of organisations hold regular training sessions, but 45% consider two to three hours per year a reasonable total — a figure that looks increasingly inadequate as the threat landscape accelerates.

Culture, not just compliance

Seventy per cent of leaders say their employees now view security as a shared responsibility across the organisation, not just an IT or security function. The same report, however, notes that 26% of employees who accept that security is a shared responsibility do not consistently act on it — a gap large enough for threats to slip through.

“Effective security awareness training is not just about passing a test,” Da Gama says. “It is about shaping daily decisions, reinforcing good behaviour, and reducing risk where work actually happens.” The report supports this framing. Eighty-eight per cent of organisations now provide training tailored to specific employee groups, with 64% focusing on those most frequently targeted and 58% on those with the lowest demonstrated security awareness.

On phishing, there is a genuine bright spot. Seventy per cent of respondents say their users have a good or very good ability to identify spoofed emails — virtually unchanged from 2024. In an environment where AI is making phishing attempts harder to detect, maintaining that level of competence is not a given.

What needs to change

The report is frank about where organisations fall short. Personnel constraints (cited by 34%), budget limitations (19%), and competing priorities push training programmes to the margins — but the cost of that deferral is visible in the data. Organisations that invest, measure, and follow through are seeing tangible reductions in incidents. Those that do not are carrying avoidable risk.

The practical prescriptions are unglamorous but well-evidenced: make completion mandatory, break training into shorter and more frequent modules, update content regularly, and ensure that leadership visibly endorses the programme. “To be effective, training has to be continuous, relevant, and treated as a core risk management control, not a side project,” Da Gama says. “The data is straightforward. Security awareness training reduces incidents. And organisations that invest in it and measure it see real results.”

The organisations that maximise its value are those that treat training as a permanent fixture of how they manage risk — not an annual exercise to be scheduled, completed, and forgotten.

The Source Code Editorial
Next

Closing the Venture Capital Gap for Female Founders Would Add $5 Trillion to Global GDP. In 2026, That Gap Is Getting Wider.