Every firewall begins with awareness; without it, even technology forgets to defend itself.
Mexico City, October 2025.
In a year marked by record-breaking data breaches and coordinated ransomware attacks, the greatest vulnerability for most companies is not technological but human. A new set of global assessments confirms that 42 percent of organisations still fail to provide digital or cybersecurity training to their staff, leaving critical infrastructures exposed at a time when automation has outpaced awareness.
The European Commission’s Digital Competence Survey found that nearly three-quarters of European firms had not conducted a single cybersecurity session in the past twelve months. In Asia, a parallel review by Japan’s National Institute of Information and Communications Technology (NICT) revealed similar neglect across manufacturing sectors, particularly among small enterprises integrating AI systems without new security protocols. And in Latin America, regional analysts estimate that only one in three companies maintains formal cyber-preparedness programs.
Across these regions, the pattern is identical: businesses are modernising faster than they are educating. “Technology budgets grow every quarter, but training budgets remain invisible,” observed a consultant at the Organisation for Economic Co-operation and Development (OECD). The remark captures an uncomfortable truth—corporations are investing in software rather than competence.
The World Economic Forum has repeatedly warned that the human factor accounts for over 70 percent of digital incidents worldwide. Yet surveys from the Inter-American Development Bank (IDB) show that cybersecurity remains siloed within IT departments, rarely integrated into company-wide performance indicators. When workers lack even basic phishing-recognition skills, the best encryption in the world cannot prevent a breach.
Experts in both hemispheres point to structural causes. In Europe, cybersecurity culture depends heavily on regulatory enforcement; in Asia, on hierarchical management; and in Latin America, on resource scarcity. But the outcome converges: an under-trained workforce operating complex systems with limited supervision.
From Tokyo to São Paulo, the shift to hybrid work has fragmented responsibility for protection. Employees now handle corporate data from personal devices and unsecured networks. “The boundary between office and home no longer exists,” noted a researcher from the Massachusetts Institute of Technology Cybersecurity Initiative. “Without training, every home connection becomes a corporate risk.”
In Mexico, the situation illustrates the paradox vividly. According to national cybersecurity observatories, mid-sized enterprises represent over 80 percent of confirmed intrusions yet allocate less than 3 percent of their annual budget to prevention. Local experts attribute the gap to both economic constraints and cultural inertia. “Executives still view cybersecurity as an IT expense, not as business continuity,” explained a consultant who advises the Mexican Banking Association.
Globally, the financial impact is escalating. The International Monetary Fund (IMF) estimates that cyber-crime drains the equivalent of 1 percent of global GDP annually. Training, meanwhile, remains the cheapest mitigation tool. A study by the London School of Economics found that organisations investing at least twenty hours of employee cyber-awareness per year reduced incident response costs by nearly half.
Yet, many executives remain sceptical. Corporate boards often delegate the issue downward, assuming that compliance software or automated filters can compensate for human error. This belief persists despite evidence that ransomware campaigns increasingly exploit psychological manipulation rather than technical flaws. “Phishing emails are no longer obvious; they mimic internal voices,” said a European Union Agency for Cybersecurity (ENISA) specialist.
The regulatory environment is tightening. The United States Cybersecurity and Infrastructure Security Agency (CISA) is developing new guidelines that would require critical-infrastructure firms to certify employee-training cycles. In the European Union, upcoming legislation will tie digital-literacy metrics to ESG disclosures. And in Latin America, Brazil’s Central Bank has already mandated annual simulation exercises for institutions managing sensitive data.
Still, enforcement alone cannot build culture. True resilience demands behavioural change, not bureaucratic compliance. Many experts advocate modular, story-based training that engages employees psychologically rather than mechanically. Micro-learning segments, phishing simulations and real-time feedback loops have proven effective in several Asian financial institutions, where short sessions produce longer retention than annual seminars.
Some companies are experimenting with gamified awareness programs inspired by Japan’s Kaizen methodology, translating continuous improvement into digital discipline. Others are integrating training analytics into performance reviews, effectively rewarding vigilance.
Yet, even among innovators, fatigue is palpable. Workers already overloaded by digital platforms view new training modules as more noise. Bridging that fatigue requires leadership example. “If executives skip the course, everyone else will,” said a Latin American cyber-resilience coach.
The challenge, then, is psychological as much as technical. Information overload erodes attention—the very resource cybersecurity depends on. Without renewed commitment to human factors, organisations risk defending their networks while losing their people.
In the coming months, the OECD, ENISA and CISA are expected to coordinate a cross-regional framework for workplace cybersecurity education. Its objective: harmonise standards across the Americas, Europe and Asia, enabling small and medium-sized enterprises to adopt scalable programs rather than improvised reactions.
For now, the numbers remain a warning. Forty-two percent of companies untrained means almost half of the world’s digital workforce operating blind. In a landscape where every click can trigger a breach, ignorance is not merely weakness—it is architecture.
Truth is structure, not noise. / La verdad es estructura, no ruido.