Over the past two years, we’ve seen a number of developments across the threat landscape coupled by the increased hybrid workforce that have created tremendous urgency for organizations to up their game when it comes to security awareness training. At Fortinet, we believe that all organizations should be deploying awareness programs for all employees and users to truly protect their most-important digital assets and as part of their security strategy. These programs must be designed in a programmatic way to prove effective in changing employee behavior whereby employees are more cyber aware and able to spot malicious threats and other risks for their organizations.
Today, Fortinet introduces a new Security Awareness and Training service to provide organizations further protection against threats through employee training and education.
Risks Resulting From the Evolving Threat Landscape and Hybrid Workforce
The intensifying threat landscape complicated by the shift to hybrid workforces has made it even more challenging for organizations to protect their digital assets. There’s been a tremendous increase in the intensity of the threat landscape over the last 24 months. IT and security teams saw huge increases in phishing, impersonation, and ransomware attacks, with ransomware rising to be the chief concern for these professionals. For instance, according to the Verizon Data Breach Investigations Report for 2021, phishing’s involvement in successful breaches jumped to 36% versus 25% in the prior reviewed period. Impersonation rose by 15x. And ransomware’s involvement in successful breaches doubled to 10%. Separately, Fortinet’s threat research group, FortiGuard Labs, saw a 10.7x increase in ransomware attacks hitting devices over the June 2020 to June 2021 period.
At the same time, the traditional workday has fundamentally changed with the significant increase in remote and hybrid work as a result of the pandemic. For instance, in Upwork’s “Future Workforce Report 2021: How Remote Work is Changing Businesses Forever,” the authors conclude: “Our study predicts that fully remote workers will represent 27.7% of the workforce, compared to 20.4% who will be partially remote. Both numbers have increased from when we last ran this survey in November 2020.” These two factors have resulted in cyber attackers focusing on social engineering, phishing tactics, and more toward employees who can many times be an organization’s weakest link.
Introducing the Fortinet Security Awareness and Training Service
Employees represent high-value targets for threat actors. As a result, organizations can’t overlook the risk introduced by an untrained workforce where a simple error or moment of poor judgment opens to the door to a threat actor.
Created by the Fortinet Training Institute, the new Security Awareness and Training service helps IT, security, and compliance leaders build a cyber-aware culture where employees recognize and avoid falling victim to cyberattacks. For compliance-sensitive organizations, the service also helps leaders satisfy regulatory and industry compliance-training requirements. Benefits of the new service include:
- Curriculum from the award-winning Fortinet Training Institute: The service is designed by the Fortinet Training Institute, which provides cybersecurity certification and training through its various programs.
- Alignment to NIST 800-50 and NIST 800-16 guidelines: The service is aligned to the National Institute of Standards and Technology (NIST) guidelines NIST 800-50 and NIST 800-16, providing training and awareness that is engaging and relevant on topics such as: information security, data privacy, physical security, password protection, and internet security.
- Intelligence-driven training: Leveraging FortiGuard Labs threat intelligence, the Security Awareness and Training service provides training informed by developments observed across the threat landscape.
Confidence in Trained Employees
In Fortinet’s 2022 Email Security Report, we asked IT and security professionals how confident they were in their employees’ ability to spot a malicious email. Surprisingly, 88% indicated they were “Moderately” to “Extremely” confident in their employees. Meanwhile, 66% indicated that their confidence had grown in the last 12 months.
Why is confidence so high? We then inquired as to what security awareness and related capabilities were organizations using. You can see the results below.
As you can imagine, respondents may be using one, two, or all of these capabilities to train employees.
From these results, we can extrapolate that IT and security professionals are seeing a clear, positive impact to their organizations in terms of a reduction in the risk of a major breach, and as likely, a reduction in the burden on IT caused by HelpDesk inquiries, such as the remediation of compromised systems and other lower-impact employee-created problems.
Not All Security Awareness Training Is Equal
It’s important to give credit to various compliance frameworks that require many organizations to conduct security awareness training as part of their controls requirements. Some of these frameworks will likely become more detailed in their requirements or recommendations in the future for how organizations should conduct security awareness training. In fact, in PCI DSS version 4.0, requirement 12.6.3, published March 2022, does a considerable job of outlining best practices for security awareness training for organizations subject to PCI DSS, expanding significantly on this topic versus version 3.2.1.
However, not all security awareness training works to change behavior and turn your workforce into part of your overall security posture. We see many organizations take a minimalist approach to security awareness training. Usually, this is the result of a reactive approach to security that is likely complying with some type of requirement their organization is being subjected to by a partner or by some type of regulatory or industry compliance framework.
To change behavior, IT and security teams need to apply a programmatic approach. This approach involves conducting numerous touch points, formats, and tools across a span to educate, test, and reinforce as well as adapt learning to achieve the desired outcome. This is where Fortinet’s new Security Awareness and Training service can help organizations implement a unique training program for all employees to be cyber aware.
At Fortinet, our own guidance is that all organizations should have a security awareness training program in place that achieves the aim of changing employee behavior and helps IT and security teams enhance their organizations’ overall security postures. This is best done through a programmatic approach that is ongoing, incorporates a number of elements to educate, test, reinforce, and adapt learning to address changes in the overall threat landscape as well as the needs of the organization’s risk profile. Learn more about Fortinet’s new Security Awareness and Training service to help achieve exactly that.
Learn more about the Fortinet free cybersecurity training initiative and Fortinet’s Training Institute, including the NSE Certification program, Academic Partner program, and Education Outreach program which includes a focus on Veterans.