While most of the media attention given to IT security is around cyber criminals and attacks, the biggest threat remains from unwitting employees.

Recently, a security firm called SecureData conducted research among IT professionals that indicated 60% of them believe ‘employee carelessness’ is the biggest risk to an organisation’s security. More widely publicised factors like data theft and external malware were seen as more than four times less risky.

While we may know that employees pose the greatest security threat, getting them to change their behaviour is a very hard thing to do. As the data they access or devices they use are often company-owned, employees have a tendency to be less concerned about security than they would with their own items like online banking passwords. It is also hard to change the habits of a work-lifetime. Equally, many are simply ignorant of the risks that sharing devices or leaving them lying around can bring. A survey from Cisco showed that almost half of all employees globally share work devices with people outside the company, without supervision.

At the same time, SecureData’s survey results reveal that one quarter of IT professionals admit that implementing a security management policy was their weakest area. When you think about it, this is not so surprising since an effective security management policy is reliant on a security-conscious culture and IT professionals are only partly responsible for company culture. So how can you help to foster a corporate culture that prioritises and respects security at all levels?

Clearly there is no single, right answer to this question: if there was, businesses wouldn’t experience the levels of data risks and leaks they do. There are a few pointers to best practice though.

First, any policy or attempt to develop a pro-security culture has to form part of your holistic security policy. This is a no-brainer that I am sure every company with an IT security policy follows.

Almost as obvious, employees should be actively and regularly educated on security best practices (including password creation) and potential security risks. Training can really help employees understand how security breaches could ultimately have a negative effect on their careers, which can prove a major step towards changing their behaviour.

In this vein, Cisco has suggested IT managers teach employees that corporate data is, essentially, money. The company uses this line: “Losing or leaking corporate data is like throwing money away and letting the people who pose the biggest threat to you pick it up and use it against you.”

Hand-in-hand with this training goes the roll-out of technology security that ‘trained’ employees will rely on and use to help maintain security. WAFs, for example can make a security strategy more effective.

As long as internal security breaches remain the number one risk, the businesses who have succeeded in making their employees take responsibility for their role in protecting the company, will be the ones that will have the safest corporate data.