If you use a computer at work, you probably have attended mandatory cyber-threat training. You may have even signed a letter saying you’ll behave when using a company computer or network. Still, we all know that one employee who can’t help posting what they had for lunch on Facebook because everyone wants to know what they’re doing.

Well, if they had paid attention at training, they may realize that might be truer than they ever imagined. The problem is it may not be their 273 friends who are interested. It could be someone with a little more insidious intent.

Cyber security is a critical issue that has been in the news quite a bit lately. Employees are one of the best assets a company has, but if they don’t follow good cyber security practices, they become one of the largest vulnerabilities. Cyber threats are on the rise and no organization is completely immune.

Even industry giants like Apple Inc., and Facebook, have announced this year that they have been the target of malicious attacks. I know! Scary stuff! It makes me want to unplug my computer and move into a bunker. Apple Inc., disclosed a cyber-attack, which started when employees visited a website for software developers and inadvertently picked up malicious software that infected their computers. Similarly, Facebook announced in February that malware got onto employee laptops after some employees visited a “compromised” website. The list of the hacked grows daily. Investigation into some of the attacks concluded that employees opened malicious links or attachments contained in emails opened an opportunity for the hacker to get in.

So, how big a deal is someone seeing what I had for lunch? It’s the fact that once a hacker gets in, they can go other places in the network and steal client/customer data, or proprietary information. The GAO estimated that cyber identity theft alone cost U.S. citizens and businesses approximately $50 billion. So you can see it is a very big deal. The problem seems insurmountable, but it really isn’t. It is however extremely dynamic.

So how can a company protect itself without losing the benefits of cyber access? Today, there are very few jobs that don’t involve the use of some type of digital device. The users are not always IT experts and may not fully understand the threat. A viable program of basic training for these employees should be provided. Periodic continuing education is imperative. This training should be more than just a check in a box. It should prepare all employees how to respond during a security incident. The curriculum should be updated frequently to keep the workforce current. Emergent training should be conducted when new threats become known. Security rules should be reviewed for adequacy and strictly enforced. Continuous monitoring of networks can help identify incidents and make response faster and more effective.

Ultimately, no computer or network is 100 percent secure, but just like non-cyber criminals, the softer targets are usually the ones that are targeted.