I just read an article in a news paper about how some attackers stole $1.2 millions in a few minutes, but I begin to laugh when they begin to take actions about how the employees surf on internet and other security actions AFTER THEY GOT THE INCIDENT.

I have a supervisor that always tells me, we never got that kind of problems, so do not worry, jajajajaja, It is very difficult to change their mind. It is necessary to be pro-active.

This is the link:

http://www.chron.com/disp/story.mpl/business/6434202.html

so so so true.  I run into this every single day.  It makes no sense.  but really it is just ignorance.  If you dont understand the digital world it is hrd to understand the threat.  Most people think "I have no idea how to do that or why you would do that, so I bet prety much everyone else is in my shoes."  But those same people would never say "I like to leave my doors and windows open when I leave the house.  Ive never had an issue with burglary, so..."  that is because they can feel see and touch the issue.  I think:)

Changing technology is easy...changing culture is hard. I think changing this cultural mind set can only be done by constantly making your managers and employees aware of the risks.  Reminding them of the bottom dollar value of a security incident.  reminding them that security is everybody’s problem.

I have implemented the most radical and successful changes to organizations after an 'incident' has occurred.  This seem to be the only time when they are willing to listen...otherwise, it is a constant uphill battle.

I would never say, "if you want to have an accident, buy insurance"...and i would never say "if you want to change your companies security culture, have a security incident!" but security, like life, can be paradoxical. 
We seem to learn best after making mistakes....and the bigger the mistake and the more it costs us, the more likely we are to change.

/<end rant>