In Roger A. Grimes’ article Security rule No. 1: Assume you're hacked, he notes that the best way to prevent hacking is to lock down computers and restrict what software can run.
Second, the best way to prevent hacking is to lock down workstations and servers and to allow only pre-approved software run on them. Most IT departments have no idea about what is and isn't running on all the computers under their control. Use a software inventory or an application control program to learn what is running, review each active program, approve what is needed, and prevent the rest from running. If you can't take this step, then it's probably a losing battle -- but there are other lesser successful mitigations.