An organization can have all the defences in the world, but staff who are unaware of security vulnerabilities can undo this work and investment with the click of a mouse.
Users should be trained about threats associated with web browsing, following web links in emails, successful identification of phishing attempts, etc. Staff should also be made aware of the warning signs of ransomware or other malware and be aware of the procedure to follow if they suspect an infection.
In addition, IT Support staff should have a clear understanding and procedure for dealing with any outbreak. A strong, calculated Incident Response plan is vital.
The strongest defence is constant and effective Security Awareness Training. Staff who are trained and aware of how to spot the tell-tale signs of a phishing attack are much less likely to be victims and much less likely to inadvertently introduce malware into an organization.
Creating a culture of security awareness in an organization, takes time and investment but can often be the most effective defensive tool.