Employees who find themselves locked out of their email accounts may think nothing of uploading a sensitive contract or document to the same online cloud service they used to share photos from last summer's family vacation. It's convenient, it's practical—it is not, however, secure.

These are the kinds of incidents that organizations are looking to curtail— especially in the advent of privacy laws such as the forthcoming California Consumer Privacy Act (CCPA)— by enacting a culture whereby the care with which data is handled becomes a priority. The good news is that this is a cause the C-suite can generally rally behind, but the bad news is that they are working against a couple of decade's worth of bad cyber habits and an even longer history, at least in the U.S., of treating privacy as an afterthought.

Laurie Fischer, managing director at HBR Consulting, pointed to the EU's longstanding embrace of privacy as an essential human right. U.S. consumers, on the other hand, may be more accustomed to trading personal information for convenience.

"If I can get that pair of boots from Zappos in 24-hours, I'll give you the name of my kids, their social security number, anything," Fischer joked.

A litany of General Data Protection Regulation (GDPR) fines and breach-related headlines would tend to indicate that trading convenience for security—even in corporate America—is not the best idea. Dan Greene, a certified information privacy professional with Beckage, thinks C-suites are starting to take notice.

This is a good development, because an organization's journey towards a culture of privacy may start at the top. If the leader of an organization isn't bothering to use multi-factor authentication, it's a safe bet that their subordinates aren't either.

"First and foremost, make sure that your CEO or CFO and everyone that's there surrounded by them is a champion of using the best practices that are appropriate for your company," Greene said.

However, overreliance on technology-driven security measures can also be a recipe for disaster if an organization isn't in a position to afford solutions like multi-factor authentication. Greene pointed out that municipalities and school districts have emerged as frequent targets for cyber criminals over the last year precisely because they don't have the resources in place to implement top of the line defenses.

In other words, humans may be the last line of defense. "That then in turn makes that culture change so much more important," Greene said.

Still, even the most security-conscious leaders in the world can't guarantee employee buy-in through example alone. Ongoing education is a vital component of any successful privacy culture. For example, an employee may not realize that it's a bad idea to place sensitive client data onto a thumb drive unless they are explicitly told.

As for outside cyber threats, the occasional "fire drill" may not be a bad idea for organizations looking to keep employees on their toes. Fischer cited a previous employer who sent out mock phishing emails to see if she would reply. Making training as real—and as entertaining—as possible can pay dividends for companies from an awareness perspective.

"Everyone likes to hear a good story of something that either went very well or very poorly," Fischer said.