In addition, companies should make the security policy accessible to staff and users by avoiding technical jargon and sharing posters around the office.

"Technology can also assist in user awareness," adds McKinnel. "Employ technology that places the onus back on individuals and reinforces user education."

For instance, pop up click boxes can be deployed before users download anything that looks high risk, send sensitive information or use media websites. "This technology embeds security practices into business processes without slowing down regular work activity," he says.

Sophos' Forsyth agreed that education is the key to rebutting attacks. "If staff are made aware of their part in protecting customer data [and trust] they will appreciate the need for vigilance," he says.

"This training should be a joint responsibility of the information technology [IT] and human resources [HR] departments. It should also be a core component of staff induction and staff should receive regular updates on the latest threats."