From some limited experience and reading it appears the a lot of hacks are not the result of breaking into a server via brilliant computer engineers but rather workers opening emails with attachments or links.  The other source is workers using personal phones logged into company servers or even company phones that aren't secured.

I've tried to get people to ignore and delete emails from credit card companies, banks and a multitude of fake companies but people are always concerned "it might be something important."

It's maddening.