You can only
do so much with security when you start to look for the weakest link.
And its always the users
Take 1 case I know of, Company laptops provided , however , during night shift when internet is'nt needed, its turned off. employee thinks "If I use the phone tethering function on my phone , I can stream the latest TV shows on the company laptop while I work" which he does by searching for streaming services and coming across "Download and install this to watch the latest netflix" which he does and watches netflix..... and it has a rather nasty payload attatched.
Next day, the server starts up, connects to the internet and the laptops and downloads gigs of data and then the anti-virus alarms go off and system grinds to a halt.
Cue much gnashing of teef and wailing.... once the culprit is found, he no longer has a job. and good riddence.
Or a new employee gives her work e.mail address to a friend, that friend's son downloads stuff from a dodgy site, and the resulting spam bot fires off an e.mail to our new employee... who unquestionly opens it because its from a 'trusted' source...... yeah we're back to wailing and gnashing of teef.
So the question should be "How do you secure your applications tightly enough so that the system cannot be compromised without tying the system down so tightly that people cant do their jobs"?