"They should have a system in place to educate people. They need to have an on-going campaign and only give certain rights and access to those who need it, and you need to review these controls every few months," said Verweij.
By designing and implementing these systems and practicing these habits of reviewing controls, you create an environment where it is important.
"If you don't need access to information for your job, you don't need to know. And while you don't want to create an environment of distrust, it's important to be mindful of the fact that over 30% of people are willing to sell information. That's 3 in 10 employees," said Verweij.
I know first hand that there are organizations that are not practicing these routine habits of deactivating user credentials. If an employee has been gone from a company for well over a year, why on earth is she still able to access her old email with her user credentials?
Sign up for CIO Asia eNewsletters.