There is the expression that there are two kinds of companies. The ones that know they are hacked and the ones that don't. It's safe to assume your network has already been compromised and that you really need to focus on Incident Response skills like detection and remediation.
Unfortunately, the same is true for your employees. They really are the weak link and that link has been substantially weakened with news that came out this week. The major data brokers like Lexis-Nexis, Dun & Bradstreet and Kroll have been owned by the bad guys for a (very) long time.
Stealing a few hundred million records when you have "owned" the network is not all that hard. So here is the bad news. It is highly likely that your very own and all your employees' identities have been compromised, but the bad guys just have not gotten around to them yet.
The upshot? Highly personalized spear-phishing attacks that use very personal data to make the victim click on a link. Think about an email coming from the correct health insurer, offering a special low-cost health plan for people with more than three kids to someone that has four children. Hard not to click on.
You REALLY need to get in front of your employees and impress upon them the fact that they need to STOP - LOOK - THINK before they click, and that this is true for the office but also at house. The article is at Brian Krebs's site. Excellent ammo for your awareness program:
http://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/