This is a great question, and one that plagues businesses of all sizes. Based on our experience writing security training and consulting companies on the best ways to plug the security holes in their organizations, it comes down to three things:
1) Spelling it out: A proactive approach to security awareness includes open lines of communication, telling employees exactly what sorts of things to look out for. One major mistake that corporations often make is assuming too much—mainly, assuming that their employees know how to identify malicious situations over the phone or through email. Instead, spell out the situations that may trip them up, either through policies or training.
2) Repeat, repeat, repeat: Even in companies that make a concerted effort to raise security awareness among workers, there is a tendency to backslide into comfortable complacency unless the danger is kept at the forefront of their minds. This doesn’t have to be onerous for management or irritating to employees, since there are so many effective ways to make security awareness a part of a worker’s daily experience. E-newsletters, security briefs, and clever, eye-catching security awareness campaigns are a few ideas.
3) Create a culture of teamwork: Often, corporate environments in large companies use impersonal policies to “teach,” hoping to generate desirable behaviors with a “Don’t think, just do” mentality. This approach makes employees feel like a tiny cog in a huge machine, a piece not worthy of more than minimal information. Smart employers give employees more credit. An attitude of inclusion should permeate every policy, every training campaign, and every common area. A real “good guys vs. bad guys” attitude makes everyone feel like part of a team that is working toward the common goal of security.