Re: People "trained in IT security" are a lot of the problem
I'd agree on the password changes, but frequent password changes do help mitigate damage - if your password has been hacked, whilst damage has been done and data stolen, a forced password change will mitigate further damage.
Also security staff are not the problem - Its corporate attitude that Security is the responsibility of Person X or Department Y. Security is everybodies responsibility, especially the users. After all. its rarely the Security Admins who opens the email saying "Invoice Attached".
Unfortunately most companies provide about 30-60 minutes of "training" when a new employee starts, this is at a time they are getting inundated with "more important" information about the job they will be doing, so it goes in one ear and out of the other. Additionally this training tends be a HR check-box exercise, which dictates to users, Don't Do This, Don't Do That. Its just a waste of time!
Companies need to invest in properly in training staff about security both for the office and at home - explaining why its needed, how it impacts them personal, then how they should approach it. Rinse and repeat it every 6 months.
Actually, what we need is a national campaign to make bad security-judgement socially unacceptable..