Whether the intent of the hacker is for financial, political, or some other gain, "malware can be encrypted in a way that without back up can result in lost documents, lost resources, time, and money which can effect companies in similar magnitudes [as a financial breach]."
During April's RSA Conference in San Francisco Thom Langford explained that 'plugging in' and 'clicking on' still happens despite posters and warnings and an annual CBT program because human beings are entrenched in their behaviors.
"They know it's bad to plug a random USB stick into their laptops, but they will still do it. It's a habit," Langford said. Marketing a corporation's values and story will create a positive experience and engage end users, Langford said.
So how do corporations develop awareness programs that fit into both their organizations and their budgets? There is no panacea because everyone in the equation from the executives to housekeeping has different values.
Breach attacks are not a matter of behavior and habit so much as a question of what people value. Increasingly, end users value convenience over security.
"That's the trade off some employees are willing to make, they value convenience over security, so they are choosing between security awareness vs. open source," said Carhart.
A robber values your wallet, a point made only to prove that not everyone has good values--remember Iago, who valued deception over loyalty.
Organizations have to know what they are securing, and "the barrier of an awareness program comes from people knowing what's going on. Employees are the first line of defense," said Carhart.
Regardless of the size of their organization, companies employ Millennials to Baby Boomers and the generations in between. That's a vast spectrum of people to educate, so "they have to evaluate the environment. Who are you securing?" Carhart said.
Once they know, they can be more innovative in building the layers of defense.
"The major rule of awareness programs is being creative and innovative," Carhart said, "and the strongest security requires defense in depth, which includes humans, devices, and policies--the technical plus human control."
As with all things in life, there is little chance of perfection, so it's important that security teams manage their expectations.
"The expectation of 100% chance of success doesn't exist anywhere else," said White, who also talked about the need for defense in depth. Yes, strong hardware security is a part of protecting against breaches, but White added, "hardware and software can't address the changing tides of hacker intelligence."
Trying to reach everybody across all levels of expertise demands that employers "recognize and understand that people are coming from different places. Millennials expect engaging and interactive tools which helps training be much more effective for them, so it's about knowing what to put in their programs," White said.
Sign up for CIO Asia eNewsletters.