Cybersecurity Training of Employees Cuts Breaches and Intrusions by 67%, Fortinet Report Shows
External threats and previous cyber incidents continue to be the primary drivers for adopting security awareness programs, cited by more than 40% of respondents.
Study of 1,850 IT and security leaders across 29 countries highlights growing role of employee training in cyber risk reduction
Bengaluru: Security awareness and training programmes are increasingly becoming a measurable cybersecurity control, with organizations reporting a 67% reduction in cyber intrusions, incidents, and breaches after implementing structured training initiatives, according to the 2025 Security Awareness and Training Global Research Report released by Fortinet.
The study, based on responses from 1,850 senior IT and security decision-makers across 29 countries including India, shows that while enterprises are strengthening cyber resilience, major gaps remain in employee preparedness, training completion rates, and consistent security practices across organizations.
AI threats driving awareness but readiness remains low
The rise of AI-powered cyberattacks is changing how organizations view cybersecurity training. Nearly nine out of ten organizations say attackers’ use of artificial intelligence has increased employee awareness about the importance of security training.
However, the report highlights a significant preparedness gap. Only about 40% of leaders believe their employees are fully ready to identify, avoid, and report AI-based cyber threats.
To address this risk, most organizations are introducing training programs on the responsible use of generative AI tools, monitoring sensitive data sharing, and implementing formal security policies governing AI and large language model tools. According to the report, nearly all respondents say they have either implemented or are actively developing AI security policies.
Insider risk emerging as a major concern
External threats and previous cyber incidents continue to be the primary drivers for adopting security awareness programs, cited by more than 40% of respondents.
However, concern about insider risk is rising rapidly, with over a quarter of organizations now identifying internal threats as a key reason for strengthening training programmes, a notable increase compared with previous years.
Training priorities are evolving accordingly. While data security and data privacy remain the top training topics, organizations are increasingly adding modules focused on AI-related risks and emerging digital threats.
Training effectiveness now measurable
One of the strongest findings in the report is that security awareness training is delivering measurable outcomes.
About 67% of organizations report moderate to significant reductions in security incidents after implementing structured training programmes. Organizations are also adopting more sophisticated measurement methods, including tracking reductions in incidents, employee feedback, and outcomes from security audits.
Training approaches are also evolving from one-time compliance sessions to continuous programs combining in-person training, computer-based modules, phishing simulations, and periodic assessments designed to reinforce behavioral change.
Completion rates remain a weak link
Despite progress, the report highlights persistent challenges in training completion and consistency.
Only a small proportion of organizations report full participation in security awareness programmes, while nearly seven in ten leaders believe employees still lack adequate security awareness.
Experts say improving completion rates will require shorter and more frequent training modules, stronger leadership support, and better alignment between training content and real-world cyber threats. Micro-training formats are also gaining importance as organizations attempt to keep pace with rapidly evolving AI-enabled threats.
Cyber awareness becoming an organizational culture issue
The report indicates a broader shift in how organizations view cybersecurity. Security awareness is increasingly seen as a shared organizational responsibility rather than a purely technical or IT function.
Most leaders surveyed said they are open to using policies to regulate risky employee behaviour, particularly when these policies are supported by training that explains the rationale behind them.
Human factor remains central to cybersecurity
Vishak Raman, Vice President of Sales for India, SAARC, SEA and ANZ at Fortinet, said the rapid expansion of digital technologies in India makes employee awareness a critical line of defence.
“India’s rapid digitisation is transforming industries, government services, and everyday life. However, as organisations adopt cloud, AI, and digital platforms at scale, the human element remains one of the most critical factors in cybersecurity,” Raman said.
“Security awareness and training represent the first line of defence against many cyber threats, particularly those that rely on social engineering and human error. Building a cyber-aware workforce through continuous training will be essential to safeguarding India’s digital future.”
Outlook for 2026
The findings suggest that while security awareness training is proving effective in reducing cyber risk, its success increasingly depends on continuous engagement, updated training content, and organization-wide participation.
With AI accelerating both cyber threats and digital adoption, experts say organizations will need to treat security awareness training as a core risk management function rather than a compliance exercise in the coming years.
