Almost all the recent high-profile breaches have come down to some employee making a mistake, breaking a security policy. It's often a very simple mistake, such as sharing a password or opening an attachment.
"We can deploy sophisticated technologies, but at the end of the day it comes down to the users," Horn-Mitchem said.
In particular, phishing has often played a key role, including in the Sony breach. According to the 2014 Verizon breach report, phishing was a factor in 67 percent of all cyber-espionage breaches, and was the third most-common attack vector in all types of breaches.
Provident stepped up its phishing training campaigns immediately after the Sony breach, and plans to increase the pace even more in 2015.
To get the most impact, the bank sends fake phishing emails to a small number of employees at a time.
"If you send 1,500 people the same email, then as soon as one or two people figure it out, they spread the word," said Horn-Mitchem.
Over time, employees have been getting better at spotting the malicious emails, he said. Not only are the click rates going down, but more employees are reporting the emails to their department.
The bank already had a data classification policy in place, where a select group of people -- the owners of the information -- decided how sensitive the data was.
But many employees were handling the data, and not all of them were paying attention to how they were securing it.
"Email, to many people, is a routing activity," Horn-Mitchem said. "It's very easy to send out information of particular value to the bank, and not have any thought about whether they properly secured it."
When this happened, the emails would get bounced to the security staff for manual handling.
"We wanted to have our users understand the value of the data they're using on a daily basis and its importance," he said.
What the bank did was institute a new classification policy -- each time employees sent information out beyond the bank walls, they had to take a moment and decide whether the information was confidential, sensitive, or public.
Depending on the classification, the communications that needed it would then be automatically encrypted, using either a TLS handshake with trusted partners, or a secure mailer for unfamiliar destinations.
The new policy applied to all bank staff, from the senior management down to the individual tellers, about 1,000 users total.
"It's not that big a speed bump that it slows users down, but it is a speed bump, and makes them think," he said.
From the very beginning, accuracy was close to 100 percent, with information classified either at the appropriate level or higher.
Sign up for CIO Asia eNewsletters.