Training and policy are necessary, but don’t bank your security on them. This story on a couple security breaches at the VA illustrate this. When business says employees must get XYZ done, and employees *can* technically do something to help themselves get XYZ done, they will do that (based minorly on their own internal risk analysis of job vs getting caught+fine…). The only thing policy/training does, ultimately, is give the business grounds to fire offenders and CYA against negligence. But it doesn’t specifically *prevent* anything any more than a sign that says No Loitering.
Just like this car I see daily in the visitor slot of the parking lot. Unless someone gives that person a warning and/or tows them, no soft measures are going to stop them. (Yeah, not a life-threatening heinous offense, but it illustrates a point.)
As a counter-point, one might mention stoplights. Nothing is really technically stopping people from ignoring a red light…
I better stop before I hurt my brain on a Friday.