Some facts:

1. Per the National Institute of Standards and Technology of the Department of Commerce, the biggest risk in maintaining cyber security is that people suffer from “security fatigue.”  We are tired of all those passwords and security questions and verifications.  We take shortcuts.  We reuse and do not change, and we duplicate, passwords.
2. 95% of evil hacks start with phishing, sending an email seeking to trick the recipient as to the identify of the sender; and of these, the majority and the most effective are spear fishing, not general emailing.  The hacker has information about you, your employer, your job, enough to make the communication seem authentic.  As these are one-offs, they cannot be blocked by a spam filter.
3. The incidence of successful hacks via people far exceeds the hacks on “systems.”  Of course, even one soft spot (eg person) in a given organization is all you need.
4. A program presented in my law firm cautions as to possible vulnerability of commercial drop boxes, where the data may be shared and where search warrants are generally honored and without prior notice to the data owner.
5. A visitor to your office may want to plug in a thumb drive to download information or print it.  OR to prepare access to the system after the visitor leaves.