A further prevention strategy is ongoing user education and training. This should be consistent and regular so that security and new malware techniques are taught and kept top of mind. This helps develop a culture of security and avoids complacency or forgetfulness which can lead to a breach.
Part of education is developing policies for good security practices, and ensuring they are followed. Some offices will conduct or hire out tests where fake spam and malware vectors are sent to firm personnel to see if they react properly. If they unsafely open a test malware message, for example, it is an opportunity to provide further training and identify how to bring the risks home to personnel.
Another role of the policy is to lay out what to do if there is a breach. If the worst happens, there can be a wide range of emotions from confusion to panic. Since time is of the essence, having a comprehensive pre-prepared checklist of procedures to follow can be invaluable.