Securing Your Network
One of the things that you should do in securing your network, is to limit internet access to only the sites that a particular station needs. For example, a Point-Of-Sale workstation usually only needs to be able to access the internet in order to validate credit and debit transactions. When that is the case, then your firewall should be configured to only let those stations through to the sites they need for authorization.
By limiting the access of those stations to only the card processor site, it prevents users from randomly browsing web sites during slow times. Thus, they cannot be checking their personal email or checking out the latest funny videos. This is not to punish them, but rather to eliminate those common vectors of attack. It prevents those viruses and malware-bearing emails from being read, and their payload potentially being unleashed on your workstations. It also prevents those drive-by downloads from malicious sites, from doing the same.
Obviously, there will be stations that need to access additional sites. However, if these sites can reasonably be limited to just those sites that need to be accessed, they should similarly be limited. It may be possible to limit those stations to only your company email, vendor sites, your store web site, etc. Additionally, those stations should be restricted to use by only those users that need to be accessing the sites that the stations are being allowed access to. Those users should also be trained on what to be aware of when accessing outside sites. In particular, the user or users that are accessing the company email should be trained on how to recognize potential phishing, or other malware, type emails.
Limiting the avenues that expose your network to outside contact, can go a long way towards preventing the network from being compromised. Such limits are often evaluated from the perspective of limiting outside access in. Access restrictions should be evaluated, and restrictions imposed from your network out, as well.