Companies need to assess what they are doing now with the understanding that a security breach either has or will happen, and assessing means taking an internal scan by asking: "What are their current issues? What are they doing now? Who can help them?" White suggested.
"Hackers are extremely knowledgeable, and if hackers choose to get in, they can. Many organizations need to do a lot with hardware and software and with how end users can mitigate what can happen. Anything they can do to minimize their risks."
If attacks are imminent and no organization is impenetrable, then why should organizations devote time and resources to developing awareness programs at all?
Berlin explained that in a phishing experiment she did, she got everyone from housekeeping to CEOs to ITs to give their password. Berlin said that in the security awareness program she put in place "over the last 10 months, which consisted of easy emails with plain text and Gmail addresses," she had a more than 40% success rate when she asked for usernames and passwords.
"Six months later, that dropped down to zero results and emails received were reported and blocked within 10 minutes."
In designing an awareness plan, organizations should know that there is never a one size fits all, nor does a good awareness program need to cost a lot of money. (Also: No money, no problem: Building a security awareness program on a shoestring budget.)
"All of the principles stay the same," said Berlin. "Teach users hands on what looks suspicious, give them the ability to report, have good spam filtering, good management, two factor authentication, train users with something that will stick," Berlin said.
While vendors are expensive, "an external pen test to prove what you're doing is successful is a good metric," she added.
Sign up for CIO Asia eNewsletters.