You can never protect yourself 100%. What you do is protect your self as much as possible and mitigate risk to an acceptable degree. You can never remove all risk.
The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully.
Both social engineering and technical attacks played a big part in what I was able to do. It was a hybrid. I used social engineering when it was appropriate, and exploited technical vulnerabilities when it was appropriate.
Any type of operating system that I wanted to be able to hack, I basically compromised the source code, copied it over to the university because I didn't have enough space on my 200 megabyte hard drive.