Slap EMET 4.1 on there or at least set DEP to be running on all software.
Just make sure no ancient software is used and its Vista and above.
I'd also slap Cryptoprevent on there as well to stop the Cryptolocker. You have have to pay a fee if you want the updates but even the free version locks out some of the routes Cryptolocker uses to get its claws in. Might just save the day.
I know web owners hate this but for their own safety also slap a AdBlock on the browser too.