I always find that it's an ongoing thing.
I used to run the information on an intranet, but it became a problem when people were just not reading the valuable information collated, then, it fell into disuse.

Nowadays, I always circulate the latest news on hacking and phishing via e-mail, reminding people to be vigilant. Most are savvy, anyway, however, all it needs is the guard down for a short while.

Most are savvy, anyway,

you would think but from what was hacked doesn't look that way.

You cant really blame users for clicking links, the security systems need to cope with whatever threats are out there.

There are some web layer products like palo alto that can help with new types of threats but if directors of companies dont regulary have external pen-tests and vulnerability assessments they are to blame imo

At the time of the ILOVEYOU outbreak 10 years ago we had the policy at the company where I worked to stop all emails which could be a threat, including emails containing Word documents, ZIP files, etc and all these emails were manually scanned and forwarded by a trusted employee of the IT department. If it couldn't be scanned, it was simply returned to the sender with the request to send the email again in an accepted format. (PDF wasn't known to be unsafe 10 years ago ;))

In that time it was a great way to deal with this kind of threats while many employees were struggling at home to try to remove these and other infections from their personal computers. This kind of manual scanning uses human labor and may because of privacy concerns also not be appropriate in specific settings. The company I am talking about was a technical company where most emails coming in and out were production data, drawings etc, nothing privacy related. There was a stand-alone PC in separate room with an Internet connection which people could use for their private Internet activities.

what a safe idea from lammert about the stand-alone PC.
I agree with aspdaddy you should contract a vulnerability assesment firm to examine the programming of your site, so your webmaster applies those reports to strenghten its security.
There are many programs to monitor every activity of every PC remotely and report to you as the Manager, and there are also programs which prevent unauthorized access to CD/DVD trays or to USB unauthorized copying etc.
Goodwill teaching is sometimes not so effective as the monitoring measures hereby mentioned.
Keep all this in mind and contract an advanced security suite as Bullguard, which is highly custom-configurable.

We've started switching employees to using Macs. This has been more effective than anything else we've tried. Our employees have to review web sites as part of their responsibilities, which inevitably would lead to viruses, but not on the Macs.