3 main problems currently. Spam coming in through the email, spyware filling up PCs with crap, and 'spivs' who plug insecure PCs into the network.
1) For spam we use 'Ironmail' from Cyphertrust. We're getting ~84% spam, but the 'Threat Response Update' which are to spam, what updating antivirus definitions are for AV apps. Ironmail is stopping all but a few spam to each account daily. Problem is, there's a lot to configure: it takes a great deal of tweaking to ensure 20,000 accounts get their email but not their spam.
2) Spyware is mostly a problem in classrooms on shared PCs which have scores or hundreds of different people logging into them each week. We've now deployed 'Deepfreeze' which discards any changes made to the hard drive, every time the user logs out. Sweeet. We've had to introduce a one hour update window starting at 3.30am to allow AV DATs and the OS to accept updates. It's a reasonable compromise.
3) The fix for the Spivs is a) education and b) automatic network port checking by Cisco. Firstly we're writing web documents explaining how to connect securely and keep updated. Secondly, we're upgrading the core network to allow us to deploy a Cisco product that will check PCs that plug into network ports. If they're not up to the latest patch level, they can only get through to a 'sandbox' where they are informed of the fact and given an opportunity to patch their PC.
The core upgrade is expensive and will take some time. Also, the Network Manager is repeatedly making unilateral security decisions and pissing everyone off. One hopes he can be pursuaded to be more civil RSN.