The hackers are inside the building
Earlier this year, employees at a prominent media company received a strange email asking them to reverify their accounts. These emails didn't come from a web hosting company or a cloud service provider–instead, they came from an attacker trying to find vulnerabilities in their network. But the attacker wasn't the Syrian Electronic Army or Russian criminal gangs. Instead, the employees of Atlantic Media (publishers of, among others, The Atlantic and Quartz) were phished by their CTO, Tom Cochran.
People are more apt to learn from an experience than listen to a recommendation or policy. Just like a regular office fire drill, senior leadership should be running random phishing drills to give them that experience.