There is a balance between going back to paper and double-entry books versus putting the whole thing so close to the Internet that a single compromised box can make it easy for an attacker to slurp everything down. There are also tools to help separate data, but yet allow people to do their daily jobs.
VDIs come to mind. If one can serve up apps from different desktops, a user can have an external Web browser, internal Web browser, E-mail, the internal finance application, with appropriate separation between all of them.
On a different level is putting assets behind Citrix or RDP. The user can manipulate them, but doesn't have access to fetch the files. This helps limit potential damage, the worst thing being RATs, next would be screenshot snappers/keyloggers, but again, the signature of a RAT should be detected by the network IDS/IPS, especially if that network doesn't allow access to the external Internet other than through an application.
So, there is a balance between unfettered Internet access and a complete airgap, with security maintained. As an extreme, there is always moving back to a text terminal emulator and using SSH or even a 3270 emulator as opposed to going all the way back to paper and pencil.