In Information Security “Best Practices” are commonly referred to, but rarely practiced. This is the cause of most of the breaches and hacks that plague us today.
One best practice that isn’t sexy, but is incredibly necessary is updating. This is often a battle with different business units, which means a breach is inevitable. Possibly the hardest part about being an information security professional is convincing the business to do what is best for it. This is where understanding the business, and being able to speak the same language as the executives is key. It also helps if you have the data to back you up, but that is another topic.
At RSA 2018, Dave Hogue, Technical Director for the NSA, discussed how they secure themselves from 0-days using their own principles, including hardening to best practices. We live in a world where our adversaries are able to engineer attacks for disclosed vulnerabilities faster than most organizations are able, or willing, to patch. If you would like to keep your organization secure, you will need to find a way to convince it to keep up with patches and follow as many other best practices as possible.
And if you need a list of best practices, there are plenty out there to choose from.