Interesting article, mirrors a discussion I was having with a friend who recently has had to manage a few cases of Cryptolocker for some big clients. I basically made the argument that it shouldn't be possible for a user with poor knowledge to infect their network in the first place. If something can go wrong, then it will go wrong when we're talking big companies with lots of staff. Even if someone opened a malicious attachment on one of my personal machines, it wouldn't be able to do anything for many reasons - but the companies he provides support don't all place IT security as much of a priority, so some are vulnerable to all sorts of things. Personally I think that it's not difficult to have a setup that can passively resist most mechanisms of infection, and to replicate that setup across the network - then focus user education on information security. Protecting passwords, recognising social engineering, using secure methods of transferring information, etc - and keeping things convenient enough to be useable otherwise people will use simpler (and more insecure) alternatives.