To decrease security risk, most companies try to do too much. They have dozens of "top priority" security projects, few of which they ever complete and even fewer that are done well. The irony: Little of that activity addresses the threats most likely to compromise an enterprise.
The No. 1 defensive measure any company can take is to prevent unauthorized programs from running on any computer. Most often, bad guys break into companies through holes in unpatched software -- and when they do, they almost always end up running hacking tools. Prevent those hacking tools from running and you'll reduce risk by 99 percent.
The best way to do that is to use an application control program, aka whitelisting software. Basically, you allow only those programs on the list to run and block everything else.
I realize we live in the consumerization era, where you're supposed to be able to download apps and subscribe to cloud services to your heart's content. But at a certain point -- especially if your company has high-value information worth stealing -- you have to ask yourself: Do I or don't I want to stop attacks?
Here's my own personal cliché about whitelisting: The single best thing you can do to prevent hacking is to use whitelisting programs. If you can't, then you have to do everything else. And everything else will not work.
Clearing the whitelist hurdle
Whitelisting programs are notoriously hard to deploy in a corporate environment. Most people and most cultures won't stand for being told what they can and can't run. Management must truly understand that only whitelisting can shut down hacking. Without total support from management, you won't get a whitelisting project off the ground.
At least, you won't be able to get it deployed across the company. But as a sort of pilot program, you can deploy whitelisting on your company's servers, which change rarely in comparison to the average user's computer. Most infrastructure servers (file servers, DNS, Active Directory, and so on) are great places for whitelisting proof-of-concept projects.