a quick case for layered defenses

Will a spam filter catch all malicious email sent to you? No.
Will a web filter block you from getting to all malicious sites? No.
Will a local antimalware tool prevent all malware from infecting your system? No.
Will your own diligence and paranoia weed out all email/web-borne issues? No.
Will reduced desktop rights protect your system? Not entirely.
Will your sandbox browser or script-blocking plugin stop everything? No (but close!).

Will any one of the above be the “right” answer for your business? No.
Will all of the above reduce your risk quite significantly? Yes, when done properly!
Will (broad) detection/monitoring of strange things catch the rest? No, but it should come close!

(This was prompted by some Starbucks spam email that made it through our filters today [despite a forged To address!], and a few users reported, but upon investigation I see our web filter is already blocking this domain. It simply illustrates that layered defense is paramount.)

It’s tempting to look at that sandbox/script-blocking as a best solution, but it’s also one that is entirely in the hands of the end user much of that time, specifically for script-blocking. For many people that I suggest use it, they end up getting sick of it and just allow everything or go back to using a poor browser choice. I’m not a big fan of security that users can turn off at will and without tracking or safety nets.