A sweeping new global report reveals how AI-fueled cyber threats are forcing a reckoning inside corporate boardrooms.
If you thought your company’s firewall was its strongest defense, think again. Fortinet’s 2025 Security Awareness and Training Global Research Report, drawn from interviews with 1,850 senior IT security decision-makers across 29 countries, delivers a sobering message: human behavior — not software — remains the most exploitable vulnerability in any organization. And artificial intelligence is making the problem dramatically worse.
AI Is the New Threat Multiplier
The rise of AI-powered attacks has rattled organizations worldwide. According to the report, a striking 88% of organizations say that the growing use of AI by bad actors has influenced how employees perceive the importance of security training — and not in a subtle way. Nearly half (47%) say it has significantly raised employee awareness of why cybersecurity training matters. Yet despite that recognition, just 40% of leaders say their employees are actually well-equipped to detect, avoid, and report AI-driven threats. The gap between awareness and readiness is a flashing red warning sign.
The Training Gap Nobody Wants to Admit
Here is the number that should keep every CISO up at night: 93% of employees are not completing their security training. While 94% of organizations run regular training sessions, completion rates tell a different story — only 6% report 100% completion. Just over half (56%) report rates above 70%. The report is unambiguous: those missing trainees represent real, unpatched vulnerabilities walking around your office.
Compounding this is a persistent leadership concern: 69% of executives say employees still lack adequate cybersecurity awareness — a figure nearly unchanged from 67% the year before. Training programs are running, but not far enough.
Real Results — But the Job Isn’t Done
The news is not all grim. The report confirms that training genuinely works when followed through. A solid 67% of organizations reported moderate or significant reductions in security breaches, intrusions, and incidents after implementing structured training programs. The top yardsticks for measuring success include reduced security incidents (53%), employee feedback (52%), and security audits (50%). Additionally, 88% of organizations now tailor training to specific employee groups, recognizing that not all workers face the same risks.
External Threats Drive Action, But Insiders Are Gaining Attention
The primary trigger for adopting security training remains external: 41% of organizations cite the threat of external attacks as their core motivation — though this is down from 52% in 2024, suggesting internal risk is climbing the agenda. Indeed, 27% of respondents now cite insider risk as a driver for training adoption, a dramatic jump from just 4% the previous year. Data security (51%), data privacy (43%), and AI-based threats (41%) rank as the most critical topics organizations want their employees trained on.
What Organizations Must Do Now
The Fortinet report is not merely a diagnosis — it prescribes a course of action. Experts recommend breaking training into shorter, more frequent sprints of 5–15 minutes rather than lengthy annual sessions. Organizations should make completion mandatory, backed by incentives and automated reminders. AI-specific training must be treated as non-negotiable, given the speed of adoption. And critically, culture matters: 70% of leaders say employees do view security as a shared responsibility, but 26% admit those same employees don’t always act accordingly. Bridging that intention-action gap is perhaps the most urgent challenge of all.
The bottom line: technology alone will never be enough. As the report makes clear, the most sophisticated security stack in the world is only as strong as the most distracted employee who hasn’t finished their training module.
