"Humans are always the weakest link in the chain," Manky said.
Education can help stop employees from falling victim to phishing attacks or pretexting schemes or careless use of login credentials, which accounted for 3 of the top 10 threat actions performed against large companies, according to Verizon's 2012 data breach investigations report.
But the stereotypical wall posters with security tips hanging in the break room are useless, said Julie Peeler, foundation director at the International Information Systems Security Certification Consortium — also known as (ISC)² — a global, non-profit organization that educates and certifies information security professionals.
"Security training is not a one-time event. It has to be integrated throughout the entire organization, and it has to come from the top," she said.
When it comes to security, managers need to ensure that employees understand the security posture of the company from day one, Peeler says. They must be willing to sign confidentiality agreements, attend training and participate in ongoing awareness, all with the goal of remaining vigilant.
Sign up for Computerworld eNewsletters.