The first thing to understanding security (company-wide) is to know who may attempt to access company information to the detriment of your business. The most likely are:

• Disgruntled former employees
• Current employees
• Contractors
• Competitors
• Hackers (for fun or profit)
• Scammers
• Industrial spies
• Government agents
• Terrorists/Crooks
• Customers

The next thing to look at is motive:

• Revenge
• Fraud
• Unfair Advantage
• Selling details to competitors
• Building profiles to assist in identity theft
• Vulnerability for attack/theft
• Fun and recognition by ones peers

Then we canvas methods and they include:

• Dumpster diving - finding company info, logins, passwords in the rubbish
• Social engineering - someone just walks in off the street pretending to be lost or in need, the plant waterer sees someone's password on a sticky on the screen, someone posing as a utility worker comes by or phones and asks questions thereby building a profile
• Spying - high powered binoculars or camera pointing in window to visually record keystrokes and screen info
• Spying - plant a remote camera (they're cheap and work well - even a mobile phone can be used to do this)
• Break-in and get any information lying around - also creating profiles
• Access online services - google, facebook, website etc via:
• Brute force attack (software tries to guess passwords)
• Using a "Sniffer" on your network to collect data being sent and received (sniffed passwords are useless as they are encrypted - or should be)
• Planting malicious code either via emailed or downloaded viruses or using social engineering (entering premises to plant code) this type of code is often a "Key-logger" which records each key as it is pressed - good for getting login and password in one hit.
• Hacking a service provider such as Telstra, Google, Facebook, ATO, banks etc (really really hard - these guys spend millions on security)

Once we've had a think about the above we ask the question "How motivated are the potential wrong-doers?". "Do they have the resources (money and time) to carry out an attack?"

I would suggest that the risk level of electronic based attacks are relatively low as long as you have up-to-date virus/firewall protection and staff understand the risks of downloading and running software from un-trusted sources (shareware, freeware, odd little utilities). Programs that are attached to emails - sometimes they are from trusted sources who have been infected.

Physical theft of logins and other details are actually the number one security threat in the world. This can be avoided by:
Using strong passwords ("muffy" is a weak password; "joKe_my767" is a good password because it has a combination of upper and lower case letters, numbers and non-alphanumeric characters). I have 3 types of password - my super secure one that is only used for important services, my mostly secure one is used on less mission critical or less known online services and the company password that is shared in the office.

Don't write them down - I have a specialised program that uses strong encryption to protect all of my passwords (and some of yours) - I have hundreds of logins. If you must keep a record then it should be kept in a safe or a safety deposit box. Lost or forgotten passwords can usually be easily re-set though.
Departing employees should have access revoked as soon as possible - some cases warrant revocation prior to leaving mgrs office - Should really be part of the exit interview policy

Train staff to challenge anyone who looks out of place (I once challenged a senior executive in a global corporation because I hadn't seen him before - he appreciated the sentiment) - someone up to no good will usually make a run for it.

Use the shredder or secure doc disposal - if your username is on your phone bill there's the first step in breaking in.

Set PCs to lock the screen after 15 - 30 minutes of inactivity

Set a policy for changing passwords the frequency is up to you - 3 months is reasonable because no-one likes to have to change their password.  With Google Apps it means going into each user's account and checking the "Make user select a new password" box and each user needs to login via the web client and define a new password.

You can set outlook to only access google apps using SSL - this means that all network communications are encrypted.

So, there's the story. Don't go out and get eyes tattooed on your eyelids or aluminium foil hats because the most effective security measures are all common sense.