Most users are woefully untrained in security and yet many are given full administrative rights not only to their local machines, but in some cases servers and can make changes in configuration of these machines.
Most understand that virus protection software needs to be turned on, but on the other hand will not check to see if they have the most current patch.
Emails should be sent out to instruct users to check their virus patches and make sure they are updated, make sure the automatic updates are turned on, the fact that they should install the automatic updates, warnings on current viruses, spoof emails and any other security issues.
There should be periodic workshops on security where policies and procedures are re-iterated and reviewed.
To a large extent, systems can be locked down, but users present the greatest single area of vulnerability.
To summarize, follow a best practices incident response checklist.