"No money for training of staff on phishing or spotting other malware"
should that really be a factor?
we have 8000 totally I.T illterate doctors and nurses. busy ones.
There is no way in hell one of the 8000 isnt going to click on a dodgy email, no matter how much training you force feed them.