1. Patch and Update Constantly:  Ultimately the most hacker-resistant environment is the one that is best administered.  Organizations are short-cutting system and network administration activities through budget/staff reductions and lack of training.  This practice often forces prioritization and choice about what tasks get done sooner, later, or at all.  Over time this creates a large, persistent baseline of low to medium-risk issues in the environment that can contribute to a wildfire event under the right conditions.  Lack of a complete asset inventory – both hardware and software – contributes to this risk as applications and devices become unmanaged.  Staying on top of patching, system/application updates, end-of-support/life platform migrations, user administration, and configuration management is tedious, time-consuming, and generally underappreciated; but this activity – more than any other single task, will reduce the risk of cyber events in an organization and dramatically reduce the risk of opportunistic attacks.
2.  Email Security:  Email is the number one entry point for malware into the enterprise.  No surprise really.  Given all the data that have pointed to this as the root cause of many breach events, it should be the next place where organizations double down on security.  It is very important that organizations take the time to be informed consumers in this regard and understand what threats the email controls are preventing and what the remaining exposures are so that a layered control model can be put in place. 
3. Endpoint Detection and Response:  Most of that email is destined for a user that will click on attachments and potentially infect themselves with malware of some kind.  The second most common malware infection vector is malicious web content; also, an end-user action.  As a result, it makes sense to have a thorough suite of controls on the endpoints and servers in the environment to identify and shut down viruses, malware, and other potentially unwanted programs.  Making sure that all endpoints are under the management and kept current will help prevent whack-a-mole malware infections that can persist in environments with inconsistently applied controls.
4. Segmentation and Egress Filtering:  Just because a hacker or piece of malware makes its way into your environment, doesn’t mean it should be able to spread adjacent network nodes or waltz back out with your mission-critical, regulated data.  Limiting the ability to communicate both across and outside the network through a combination of controls such as firewall policies and requiring the use of proxy servers is an often-overlooked opportunity for organizations to increase their security, limit the impact of an incident and help prevent a network incident from becoming a public data breach. 
5. Robust Detection Control Infrastructure:  History teaches us that prevention-centric strategies will fail and should be paired with detective controls to minimize time to detection and remediation.  Make certain you have a well-tuned SIEM/SOAPA/SOAR infrastructure as part of your security architecture and that is receiving logs that cover the internal network and applications as well as through the perimeter.  This includes tuning of endpoint, application, and network device logs to enable an early detection and response capability in the environment.      
6. Multi-factor / Multi-step Authentication:   The majority of breaches involve the use of cracked, intercepted or otherwise disclosed authentication credentials at some point.  Use strong, multi-factor authentication methods by default wherever possible.  Combined with the ability to detect and alert on failed login attempts, this practice can provide clues to users that may be the focus of targeted attacks. 

Since many implementations of multi-factor/multi-step authentication involve an individual utilizing their cell phone for calls or SMS messages, this does require that users take steps to secure their mobile phones.  Entire articles have been written about this topic alone, but in short make sure that the device is fully patched, running only trusted/signed applications from reputable app stores and is protected by a pin or other security access control.  Make sure that you check with your mobile provider to take steps to prevent a malicious user from porting your phone number to another device/carrier.  Lastly, use app-based authentication methods whenever possible as opposed to SMS-based or phone call methods to further protect yourself from number port out schemes.  Such steps can help reduce the risk of business email comprise schemes and maintain the authentication security of corporate social media accounts such as Facebook™, Twitter, and Instagram™. 

Cybersecurity has always been something of a race between attackers and defenders. Organizations that steadily and consistently execute timely, data-driven decisions that are focused on risk reduction are more likely to win the day.  Every organization, regardless of size, faces difficult choices about where to allocate its limited resources; and you can never eliminate the risk of a cybersecurity incident entirely.  So, huddle up and decide how your organization is going to run the next phase of this race.  After all, like the eponymous characters in “The Tortoise and the Hare” all we can do is run the race in whatever way we feel maximizes our chance of coming out on top.