This is such a good post! Covers everything from patch & password management to network segregation, wireless security, mobile device policies, out-of-band access, 2FA, network access control, encryption, …
If you can implement 50% of this list you’ve already made it significantly more difficult for attackers to compromise your environment.
This post is not supposed to be a complete list of steps a company should take when securing a network, system, or company – but more of a handy reference for when companies ask me: “Where do we even start?” Which happens about once a week…
Source: Security is Hard: Where Do I Start? — GracefulSecurity