The most effective security practice you can do is to strictly isolate any internet connected PC from computers handling important data. But this requires that people have two (or more!) different computers and is rather annoying.

More convenient is to only allow internet access from ephemeral VMs connected to via RDP or similar protocol.