Some of the best firms use very simple techniques to protect their companies’ information. These techniques can be very efficient with not only securing company data but also your employee's personal information as well. These may take some time and resources to set up initially, but you will thank yourself down the road.
First you want to implement some sort of yearly or bi-yearly security training program. Something interactive that will keep them involved and teach them the basics of security in the office. Using game-ology or animation in this training will insure that the information sticks with the employees. Not only will you remain compliant with a yearly security training program but you can insure awareness around the main cause of information leaks and breaches; humans.
Once this program is in place, you want to put it to the test. One of the best ways is to create a phishing campaign. This entails you sending out a fake email from a fake address with a false, clickable link that will record the number of users that click on this link. You can set up this campaign to log information like, clicks, openings of emails and even going as far as viewing the users that clicked the link then filled out an informational form about themselves. A phishing campaign is not to be used as a form of punishment but a teaching point about what “exactly” to look for in a phishing email.
Lastly is a step you should take into your own hands as a security professional. Utilize a tool like bit locker and/or Digital Guardian to monitoring what your employees are doing on the internet and help prepare for the worse situations. Having timely backups on all saved information is a plus incase you need to roll back changes on someone’s machine due to a malicious link that was accidently clicked.
Overall the best options, no matter how you do it, is to educate the people that handle sensitive information on best practices and then create assurances around them to protect in case of an accident. Remember in this industry it is not “if” but “when” a security event will take place.