Companies that consider security training an annual event are missing out on opportunities to make security part of the everyday culture, says Jonathan G. Gossels, president of SystemExperts Corp., a Sudbury, Mass.-based network security consulting firm.

Gossels recommends leveraging ongoing training events. He notes that one client, a large chemical company, incorporates security components into its regular professional development courses.

"No one would take time out to take a security course, but to take 15 minutes in another course works well. And they're able to tune the security message to the people taking the course," Gossels says.

Also, don't let security become an "out of sight, out of mind" issue, says Litchko.

"It has to be a continual thing. You can't just put up a poster and keep it there a year. It needs to be constant and varied."