Employee education is the key to security. The computer is a tool an employee uses in the process of their job.

If they cannot use and maintain it properly the are not qualified for the job.

Would you hire a driver if the didn't have a drivers license?

Excessive restrictions like limiting downloads and access only emphasizes the employees incompetance.

For all of the money spent on antivirus software and appliances, I think a properly developed and implemented training program can be far more beneficial than the typical bandaids and wheel spinning.

"Social engineering" is so successful from the outside because companies fail with positive "social engineering" internally.