Chris Parkerson of RSA raises an excellent point about the expectations that organizations put on employees regarding data protection. He asks "Is it really possible to expect employees to be educated enough about such policies to always do the right thing?" And he goes on to make the point that "well intentioned employees in many cases are under pressure to complete projects in record time and with minimum resources. The consequence of this dynamic is employees will prioritize getting a critical project completed above adhering to company security policies."
I think he's right. It's not an issue of having bad-guy employees. It's that productive employees have too much going on to be constantly thinking about security policies. Some employees may even think that policies are important for audits, but don't really need to be followed day-to-day. Ask your co-workers and friends and I'd bet you'll find a few people who think along those lines. If you've ever worked on a software integration project, I bet at some point you encountered a permissions error and elected to just give the user admin rights to get things working. Of course you eventually went back and revoked those rights, right?
So what can an organization do to protect themselves short of mass employee hypnosis? Own the burden. Put the right security controls in place and continue to balance employee education with effective IT controls. And, of course, run regular audits and real-time monitoring on those controls. Create a culture of compliance. Automate the process of security and most employees won't fight it. They'll probably like it better if they don't have the option to subvert security because there will be no pressure to do so by coworkers or deadlines.