There is a lot of talk about creating a security culture in the workplace, but for most IT departments it is a tough job to get users across the organisation to understand why it is important, to put it into practice and, even more important, to turn good information security practice into a sustainable habit.
It certainly does not do the image of the IT department any good to be seen as a bunch of irritating "nanny" figures with nothing better to do than tut-tut about members of staff revealing their PC passwords to their colleagues.
It is essential that the vital message of good security practice comes from the very top. As one of our expert panel says in a different article, "E-mails from the IT department will be ignored".
In most companies staff don't bother to challenge unfamiliar faces in the building, so "subtler" IT threats may be even easier for them to ignore.
However, a computer virus that puts a total stop to the company's business may prove more devastating than a stolen purse, so IT must keep promoting the security message upwards to the boardroom as well as across to colleagues.