Technology and training can also help protect the organization from workers who are not malicious, but who fall victim to scams like phishing.
"You can do things like virtualizing browsers or mail accounts, so if they click on something, you can see that its not kosher," McGraw said. "But you need to understand that they are going to get phished."
Sweet said companies should, "hit their employees constantly with company-managed phishing attacks. This is a service you can pay trustworthy outside providers to do. It keeps the awareness level exceptionally high."
Schneier added that things like one-time passwords can help protect against employee vulnerabilities.
But nothing is foolproof.
"These are all tricks around the edges," Schneier said. There is no panacea. There will always be exceptions. You are never going to catch everything."
Sign up for CIO Asia eNewsletters.