Re: Correction
It's a start. Consider the 2008 network attack on the US.
Up to date antivirus definitions stopped it cold on my installation, other installations fared far less well. To the tune of one billion dollars for the first infection, the second one remains classified in expense.
So, it's a start. A second option is IPS systems inline with the firewall that can be modified when an attack is beginning and ongoing.
There are various other methods to protect a network, including host based IDS/IPS systems and custom designed IDS systems for the network. One can even buffer headers of all traffic across the network, though that creates an obscene amount of data to archive, the US does it at the DoD level.
The very first step is to keep the antivirus up to date in version and definitions. The second step is keeping patches up to date.
The final and most important step is to educate the user to not plug a found USB drive into a computer to see what's on it or even format it, as that is how the 2008 network attack was accomplished initially. Other successful attacks were phishing attacks and spear phishing attacks.
One accomplishes defense by one method, defense in depth, with layers of defense.
However, one also is mindful of the budget, lest one lose out in important areas when securing secondary or tertiary areas before the primary areas are secured.