Blocking access to the entire internet except for the corporate intranet

Regular training, simulated phishing campaigns, and leadership by example

Strict fines for every wrong click on an email

Installing monitoring software on all employee screens

Delegating security responsibility exclusively to the youngest IT technician