Probably the single biggest mistake that people make when thinking about social engineering protection, is to think only in terms of staff awareness. In our experience, given that awareness building tends to strengthen only the conscious processes, it is systemic improvements that are most effective in protecting your information.