I 'ad a thought, formin' in me 'ead. After the edit window ran out, of course.
Possible company structure:
Connected via a one-way link to the:
The outer perimeter would have all the usual firewalls etc BUT all staff outside would have to start the day with a blank-ish VM (custom per user so email etc. works). You can interact with the outside world and look stuff up etc; stuff you wanted to keep would be safely saved inside the perimeter but any hacker would only get that day's stuff and would have to re-hack you all over again tomorrow. Or train the users to run Tails.
Part of the image would be a 'shared folder' where the user could save stuff they wanted to keep; which at the end of the day would be copied inside the perimeter via the one-way link and never, ever run on that network. If the user wished to use that data, he would have to copy it from the network (via another one-way link (outwards this time)) to another non-internet-connected machine where they could work. This machine would also have other continuity stuff beamed to it like email archives and so on.
You'd need 2 machines per user, and the system would be a bit irritating to use until you got used to it, but you could have both machines side-by-side on the same desk. Could probably use Raspberry Pis for the outside the perimeter part. But because of the one way links and the fact that *NOTHING* from outside runs on your storage it would be really, really difficult to hack remotely and with the right mix of access privileges, locks, armed guards and piranha moats wouldn't be that easy to social engineer either. Your IT dept would have to be fairly switched on too as they'd have to generate a custom ROM for each user in addition to all the other tasks (but you might make that time back by not having to worry about the users clicking on dontclickonthisFFS.hta). You could automate the ROM part, anyway.
Just a thought.