"Hands up all those who have actually received proper Outlook training and/or email etiquette or management training? People still don’t know how to set up sharing of permissions in the folder listing rather than handing over access to their whole Inbox" says Andrea Simmons on the BCS Security Blog in response to the Human Factors in Information Security (HFIS) conference held in February. So true. I know I keep bleating on about it but while you're busy installing two-factor authentication in your payments application your staff are losing, sharing and deleting information through basic lack of awareness and skills, and failures of responsibility and accountability.
While you're patching IE and blocking Facebook, staff are e-mailing eachother huge files of customer data because you have not
a) told them it's wrong
b) enabled effective collaboration through legitimate tools
c) prevented the sharing of data through illegitimate channels.
Educate (the right and wrong ways), enable (the right way), eliminate (the wrong way). Too many security managers do the last point without the first two, which is why they find it so hard.