I've been saying for a long time that one thing that companies can do to meaningfully increase their security is to NOT install default routes on most machines.

Put in routes for your local networks and applications, set up a proxy server for any legitimate traffic that needs to "exit" the network (i.e., go to the Internet), and simply drop anything else.