More to be scared by! But it is so easy to inadvertently infect a machine just be visiting an infected site. Or be victim to a phishing attack by visiting a rogue site that looks genuine. Aside for educating employees there are other easy steps that can be employed to limit the risk.
Web protection access limits to malicious sites
Create blacklist and whitelist of sites (determining which can be accessed)
Set schedules for different types of activity
Protect employees from inadvertently accessing unpleasant content