I believe user training is essential but we need to ensure that the amount of malware is diminished, reducing the possibility that a user action may infect the network.
We implemented firewalls with gateway antivirus, intrusion protection, and application control at each site, blocking encrypted key exchange and https proxy, what some ransomware use to fetch the encryption keys.
We also began filtering SMTP traffic using a third party appliance, reducing the amount of email received by close to 80%. All zipped or macro enabled attachments are quarantined on our mail server. Our customers/vendors are made aware of our requirements to limit these type of files, and for the most part, they comply.
The number of infections across the network have reduced dramatically, and all users, including our CEO, now inform the team of suspicious emails rather than opening them.