As International Literacy Day (8 September) approaches, much of the conversation will rightly focus on the power of reading and writing. But in today’s hyper-connected world, there’s another critical, yet often overlooked form of literacy that deserves attention: digital literacy.

Just as traditional literacy is the foundation for all learning, digital literacy is the foundation for an effective cybersecurity defense.

When employees and individuals aren’t equipped with even just basic digital literacy, it becomes much harder to recognize a threat actor at work, even with cybersecurity awareness training. Think of it as teaching someone to read without teaching them the alphabet first. 

Martin Potgieter, Regional CTO at Integrity360, argues that digital illiteracy is a silent but serious threat to cyber resilience across industries. He points out that although many organizations invest in security awareness training, these programs frequently presume a basic level of digital knowledge that many employees simply don’t have.

“Training alone is like teaching someone to read without showing them the alphabet,” says Potgieter. “You can’t recognize a phishing attempt if you don’t understand what a VPN does, what an OTP is, or why a browser warning matters.”

Digital literacy can help one understand how threat actors work at a fundamental level, so you can recognize and respond to potential incidents, not just the ones you’ve been trained to spot. When users understand the environments they operate in and the technology they use, even in simple terms, they’re better equipped to defend themselves. It’s less about deep technical expertise and more about grasping core concepts to adapt to evolving threats—and recognizing a lack of core understanding can be harder than one expects.

Digital literacy versus being ‘tech-savvy’

It’s important to distinguish between being ‘tech-savvy’ and possessing true digital literacy. While tech-savvy individuals might be comfortable using new applications, digital literacy delves deeper, focusing on understanding the underlying mechanisms of online interactions and potential risks.

According to the GTIA, 76% of breaches are considered preventable and involve human error, indicating that the first step any organization should take to improve its defensive posture is to initiate comprehensive training and regular discussions.

One of the biggest risks comes from users ignoring security messages because they’ve been conditioned to click past them. Sometimes platforms generate unnecessary warnings, leading IT teams to advise employees to disregard them—a habit that can carry over into situations where alerts really do matter.

Another common gap is not fully understanding core security tools. Take one-time passwords (OTPs). If someone doesn’t know what they are or why they must be kept secret, it’s much easier for a scammer to trick them into giving one away.

The danger is compounded by a false sense of safety that can be fueled by a lack of understanding that makes basic security measures seem like a box-ticking exercise instead of an individual responsibility that is justified. ” As I’ve seen time and again, small organizations often assume, for instance, that having an antivirus or firewall is enough, or that they’re too small to be targeted. But attackers increasingly work in bulk, going after many smaller targets for smaller payoffs. It’s not always about landing a big crypto ransomware payment. Some hackers are content with a few hundred rand in gift cards. But if the attack works, they’ll try it again. And if a victim’s learning from the incident is based solely on the characteristics of the specific incident, the ability to identify different versions isn’t necessarily improved and could indicate a problem with their basic digital literacy.”

Why ‘training-first’ falls short

Security awareness training is essential, but it often assumes a baseline of digital literacy that doesn’t exist for every employee. That’s why organizations should first ensure employees understand the fundamentals, like the safe use of VPNs, recognizing legitimate URLs, and managing passwords securely. Without this, training becomes a band-aid solution, addressing symptoms on a case-by-case basis, but not the root cause of vulnerability.

You need to make sure that your employees are included in your cybersecurity solutions and can have a chance to put their knowledge into practice through phishing simulations they understand are useful, not patronizing. 

Encourage employees to ask questions about suspicious emails or alerts without fear of embarrassment, and have clear incident reporting mechanisms. When people hide what they don’t know or aren’t even just equipped to realize what they don’t know, vulnerabilities go unnoticed. By normalizing open conversations about security, you make it easier to spot and stop threats early. At Integrity360, we have a WhatsApp group where people post real examples of scam attempts, giving them an opportunity to learn from one another—it’s almost an element of fun or amazement that builds engagement.

The hidden costs of digital illiteracy

Digital literacy isn’t just about risk reduction: it can also boost efficiency. Whether it’s knowing how to use AI tools effectively or simply creating a better formula in Excel, these skills save time and reduce frustration. Consider the hours lost when employees struggle to fully utilize spreadsheet functions or when they can’t discern valuable AI applications from time-wasting novelties. These are benefits no organization should overlook, making investment in digital literacy a “no-brainer” for improving overall business operations and adaptability.

Strengthening the “human firewall” starts with the fundamentals. When organizations invest in digital literacy, they’re not just protecting themselves from cyber threats; they’re building a more capable, confident, and resilient workforce.