No matter how rigorous an organization's technical security, human error continues to confound these efforts. Firewalls, intrusion detection software, and other sophisticated tools are a waste of time and money when employees ignore security protocols. Unfortunately, sending out directives from the IT department won’t do anything to solve the problem; building a culture of security takes time and effort. First, it’s important to consider frequency. Deeply ingrained behaviors won’t be changed by a single training session; an ongoing conversation with employees is needed to replace bad habits with better ones. Employees have short memories, and repetition is needed to hammer the importance of good cybersecurity practices home. A well-designed cybersecurity campaign also cannot simply be a dry set of rules, divorced from an employee’s day-to-day job. If done correctly, employees will understand how cybersecurity practices fit into their work flows, and come away understanding how their behaviors can affect the organization overall.