Another time consuming but worthwhile step, have only a company email system permitted (no private email) and have a spam/malware filter that stops ALL executable attachments including anything in a compressed archive.
I see numerous attachments on a daily basis that are either identified as ransomware or almost certainly are new (unidentified) versions of the same. This, BTW, means stopping ALL Excel and Word files from going in (or out) without inspection. Tedious, YES, effective, yes.
It is by no means an entire solution, we are still vulnerable to mistakes, to illicit personal email, to official email containing malicious links, and files coming in via portable USB and the like, but it sure cuts out a heap of potential issues.
Just to note, we also have a comprehensive backup scheme including on and off site with two backup locations on site. We would be vulnerable to a cleverly designed piece of ransomeware that significantly delayed action and infiltrated multiple backup locations; we *should* see via alerts if one started encrypting before any backups/shadows were compromised but new malware techniques may get around what we have. We also have a regular user education activity, reminding everyone of what to watch out for and what to do should they make a mistake.
The other point is that good practice is, IMHO, multi-layered protection and response. Everything from an anti-virus package (can't see the new ones but there's still plenty of known ones to watch for), firewall policies to prevent inwards and outwards traffic associated with malware, scanning and blocking actively, education, backups and replication, etc , etc, and etc.
And we could still get hit and lose "X" hours or days of data depending on how "clever" the infecting agent was. But at least we reduce our exposure. Would we pay, maybe, if it was necessary I guess so, but we do hope to make it not ever required. So far (cross fingers and everything else) we've escaped infection for years, and long may it continue.