You know what works better than end-user education? More secure software and better default prompts. Don't expect end-users to make the right decision; instead, decide for them. Macro viruses didn't go away until the default option was not to run the macro. File attachment viruses didn't minimize until most of them were blocked and it became harder to run them in the first place. Autorun USB worms didn't go away until Microsoft forced out a patch that disabled autorunning from USB keys as a default.
End-user education has never completely worked because it only takes one person, making one mistake, to infect your whole company. But you can reduce risk by producing better, more targeted end-user education.
Security fail No. 5: Password strength won't save you
Here's a frequently repeated security mantra: Create a strong password, one that is long, complex, and frequently changed. Never mind that users are famous for reusing their passwords across multiple websites and security domains, for being tricked into typing their log-on credentials into fake authentication prompts, and for giving their passwords to random emails. Heck, a large portion of the population will give out their real password to strangers on a street for a smaller dollar gift. (The last statement has been tested over many years, in different countries, by many different survey companies, and the result is shockingly the same.) Many of your end-users simply don't care as much about their password as you'd like.
The bigger problem now is that most hackers don't care either. They trick an end-user into running a Trojan program, get admin access, harvest the password hashes, then reuse them. A password hash is a password hash, and one from a strong password looks and feels no different than one from a weak password.
Security fail No. 6: Intrusion detection systems can't determine intent
IDSes (intrusion detection systems) are the kind of security technology you want to believe in. You define a bunch of "attack" signatures, and if the IDS detects one of those strings or behaviors in your network traffic, it can proactively alert you or possibly stop the attack. But like the rest of the security technologies and techniques on display here, they simply don't work as advertised.
First, there's no way to put in all valid attack signatures needed to account for the malicious activity heaped on your enterprise. The best IDSes may contain hundreds of signatures, but tens of thousands of malicious attempts will hit your systems. You could add tens of thousands of signatures to your IDS, but that would slow down all monitored traffic to the point where it wouldn't be worth the effort. Plus, IDSes already put out so many false positives that all event alerts end up being treated like firewall logs: neglected and unread.
But the demise of the IDS is due to the fact that most bad guys are piggybacking on legitimate access. How can an IDS tell the difference between the CFO querying his financial database and a foreign attacker using the CFO's computer and access to do the same? They can't -- there's no way to determine intent, which is needed to decide if the network stream should create an alert or be passed as normal, operational business.
Security fail No. 7: PKI is broken
Public Key Infrastructure is mathematically beautiful in every way. I love it, and I install a fair amount of PKI in businesses each year or improve on the ones they have. The problem is that many of PKIs are hideously configured, woefully insecure, and mostly ignored, even when they function perfectly in the public sector.
In the last year or two, we've seen several legitimate public Certification Authorities be horribly hacked. They've allowed hackers to gain access to their signing keys, which should have been protected more strongly than any other information in their environment, and to issue fraudulent keys for use by other hackers, malware, and possibly interested governments.
But even when PKI is perfect, remaining strong and unhacked, people don't care. Most end-users, when warned by their browser that the presented digital certificate is untrusted, can't wait to click the Ignore button. They're happy to bypass the security inconvenience and get on with their computing lives.