This was a key message from Infosecurity 2013, with IT bosses agreeing this was the best way to create good security without having to break the bank.
Graham McKay, CISO at Scottish publisher DC Thompson, said: "We are all facing considerable budget pressures, with an increasing threat landscape. It's a challenge.
"But we've adopted the approach of education, training and awareness.Educating our staff, getting the best value for money. Identifying what our information assets are, and taking the best approach to protect those."
Cal Judge, Head of Information Security at Oxfam UK, agreed that education was vital. He said that it was key to get staff interested in information security, and buy into it.
"You can do this through various methods," he said. "For us it is about for example, creating an online course that is entertaining and interactive.
"You can take a story about a celebrity getting their Twitter account hacked, use that scenario, and get staff buying into the idea that password security is essential to securing their account.
"People don't remember doing boring courses, and if they are having fun during the process, they are more likely to remember."
Michelle Tolmay, security officer at online retailer ASOS.com, said all new starters in her business needed to undergo security awareness training.
She said that she checks their Facebook and Twitter accounts before they start, and reveals personal facts about them she discovers at the beginning of the session.
Tolmay said, "People start thinking, hang on, what have I actually put out there to find that information? We're quite lucky as most ASOS staff are customers.
"Not only do we make it personal because of how they need to protect themselves in their day-to-day lives, we can take that one step forward and show how customers of ASOS need to protect themselves.
"Staff will take more interest because they know that if there is a data breach, it's not the information of random people around the world - it's theirs."