how do corporates mitigate the risk?
Many (and that is an operative usage of the word) ways - SOE sites,
multi-layered defenses, dedicated staff, very limited rates of change,
prohibition (or risk the sack) of games and dodgy surfing, segmentation,
monitoring tools, audits (and more no doubt).
But I feel for you and others that don't have any or all of these resources.
Cheers, Frank.