Security awareness training is reducing cyberattacks, with 67% of organizations reporting fewer intrusions, incidents, and data breaches after putting programs in place, according to the Fortinet 2025 Security Awareness and Training Global Research Report.
The Fortinet study, based on responses from 1,850 senior IT and security leaders worldwide, shows that companies are moving beyond treating training as a compliance requirement and are using it as a core control to manage cyber risk.
“Organizations in the Philippines are increasingly recognizing that cybersecurity is not just a technology challenge but also a skill and awareness challenge,” said Bambi Escalante, country manager, Philippines, Fortinet. “As businesses continue to adopt cloud platforms, digital services, and AI-driven tools, employees often become the first point of exposure to cyber risk.”
The increase in use of artificial intelligence (AI) in cyberattacks is reshaping how companies approach training. Almost 9 in 10 organizations said attackers’ use of AI has increased employee awareness of cybersecurity risks. However, only about 40% of leaders believe their workforce is fully prepared to detect and respond to AI-based threats.
To address this gap, most organizations are training employees on how to use generative AI (GenAI) tools safely, restricting sensitive data sharing, and setting formal policies for AI and large language model (LLM) use. While adoption of these policies is widespread, execution remains uneven.
External threats and past breaches remain the top reasons companies invest in security awareness programs, cited by more than 40% of respondents. At the same time, concern about insider risk is growing. More than a quarter of organizations now see internal threats as a driver for training, a sharp increase from the previous year.
Training content is also evolving. Data security and privacy remain top priorities, but AI-related risks are gaining ground. This shift reflects a more practical approach, where training aligns with real-world threats rather than generic compliance topics.
Organizations are also improving how they measure results. Common metrics now include reduced security incidents, employee feedback, and audit outcomes. Many companies combine in-person and online training with simulations, testing, and continuous reinforcement to influence behavior over time.
Despite these improvements, challenges remain. Only a small percentage of organizations report full training completion, while nearly seven in 10 leaders say employees still lack sufficient cybersecurity awareness.
This gap limits the effectiveness of many programs. Training that is incomplete, outdated, or not reinforced regularly cannot deliver consistent results. The report recommends shorter, more frequent training sessions, clearer accountability, updated content aligned with current threats, and stronger support from leadership. Microtraining is also gaining traction as companies try to keep pace with fast-changing AI risks.
Companies are increasingly treating cybersecurity awareness as a shared responsibility across the organization, rather than leaving it solely to IT teams. Many are also open to enforcing policies to manage risky behavior, especially when employees understand the reasons behind them.
“Security awareness training helps transform that frontline into a strong first line of defense,” Escalante said. “Consistent and relevant training equips employees to identify threats such as phishing, social engineering, and emerging AI-enabled attacks before they escalate. By embedding security awareness into everyday workplace culture, Philippine organizations can strengthen resilience, protect sensitive data, and support the country’s continued digital transformation.”