Ashley Schwartau of The Security Awareness Company says the two biggest mistakes a company can make are "assuming their employees know internal security policies" and "assuming their employees care enough to follow policy."
To avoid falling into these traps, you must: a) Have a plan, b) Educate users about your plan, and c) Make them care about procedures.
To give a quick summary, you need to have a defense plan for each of the layers that a hacker can attack: the physical layer (i.e. you need policies to ensure that only authorized personnel can access your devices), the network layer (i.e. make sure that only authorised devices access your network, and your devices only access authorized networks), and the human layer (i.e. you should make your employees practice good password hygiene, and are aware of security threats).
You should train employees on your security and disaster recovery policies at least twice year, and your IT person should keep your employees up-to-date on security issues on a weekly basis. Make sure that they understand the risks of a breach.
Most importantly you need to create a "culture of security," where employees go beyond the minimum guidelines laid down by your IT staff and always ask "is this good security sense" for every action they take. You need to have clearly defined penalties for those who practice bad security, and reward those who display good security sense.