In addition to her monthly security newsletters, VeriCenter's Ryan regularly e-mails summaries of news articles related to IT security.

Another way to keep security on everyone's mind is to use technology itself to remind them, says Joel Rakow, the e-crimes practice leader at Tatum LLC, an executive consulting and services firm in Atlanta. Companies can have security-related tips and reminders -- like "Our data is sensitive information," or "Customer information is available on a need-to-know basis" -- flash up on screensavers.

Like so much else in IT, security training should not take a one-size-fits-all approach, says Susan Hansche, program manager at Nortel Government Solutions Inc., a Fairfax, Va.-based company that provides information-assurance training programs to the U.S. Department of State.

Hansche recommends role-based training, where the messages and action items are targeted to specific audiences. Her company, for example, uses eight different role-based programs to train 1,000 State Department employees annually. The courses for executives are different from those for senior-level managers and general end users.

Alexander has taken a similar approach to training. She says executives like war stories, middle managers prefer presentations that give them checklists of action items, and general end users like information in small, easily digestible chucks.