Organizations are considering bolstering end-user awareness and training programs, according to the Bit9 survey. Bit9's Levay said scheduling training sessions that are narrower in scope are typically more successful than broad security discussions with end users. Training sessions can revolve around a single topic, such as how to create strong passwords or phishing scam identification.
"If you do manage to execute it properly, the effects are really good, Levay said. "You have to be strategic and have a long-term plan for how to approach training."
Support from upper-level executives helps keep a program running and instills a security-aware culture over time, Levay said. It also helps to have "champions," or respected people, within the various business units who can push the value of an awareness program over the line, he said.