I tell folks that there are different levels of security, and that your security measures will need to vary depending on what and who you're concerned about.
- If you're only concerned about keeping out the "casually curious," don't leave your WiFi open and don't use outdated protocols (802.11b with WEP, WPA, TKIP, WPS with PIN). Different levels here are comparable to either locking your screen door, closing the front door, or locking the front door. They won't stop the motivated and skilled. This same kind of level (with a different focus) can apply to how staff use email and the Internet in general.
- If you're concerned about the motivated and skilled, you need to do things to stop targeted attacks. That may mean people trying to crack WiFi encryption so take steps to prevent that from being a problem (key rotations, WPA2 Enterprise vs Personal, client VPNs on WiFi, etc.), or it may mean spearphishing with targeted email with malicious attachments. This is also where you really need to start looking at human factors and serious network segregation and monitoring - why try to crack your WiFi if I can get someone a temp job cleaning your offices?
- High-budget motivated and skilled changes a lot of things - the steps you'd take at lower levels may help here, but if you have information on your network that someone would pay $50,000 to get from you, then there's a pretty good chance they're going to get it and it may not involve your computers at all - just janitorial staff or even a skilled new employee. Frankly, I don't have any clients that I'd consider to be at this level - or if they are, I don't know about it and I'm not sure they do either.
- Governments and government agencies. If you're being directly targeted by someone who can be considered to have effectively unlimited resources and you're an organization of any significant size, it's going to be very hard to provide security that will protect your secrets.
The effort for level 1 is all the stuff you really need to be doing anyway - firewalling, antivirus/antimalware, patching, smart WiFi policies, simple user training, etc. Most customers probably should be somewhere at the high end for level 2, but honestly are more likely to be in the midrange - background checks, better employees and a little more training, Business Associate Agreements, device policies, an extra layer of email filtering, servers in a locked closet, etc. but probably not a network configured to lock out ports or segregate them at the hardware level when unknown MACs are detected, server room access monitoring and 24/7 camera surveillance, etc.
In theory hospitals and the like should probably be somewhere between the top end of level 2 and ideally somewhere into level 3. That's going to include the network-level lockouts I mentioned ("Only systems blessed by IT and with their MACs known get connected to internal networks"), more active auditing of activity and possibly automated lockouts for strange activity patterns, more separate logins to discrete systems, 2-factor auth for more places, maybe even integration of work schedules and access controls to systems ("Jane's not scheduled this week and she's in pediatrics, so why is she looking at medical records for cardiac patients?"). I don't work directly with any hospitals, but I've seen a lot of tightening of hospital system security assisting customers who are connecting to hospital portals.
If you need to be concerned about level-4 stuff you're definitely not my customer, but the basic options are: It's your own government looking into you and you have serious problems, or it's some other government looking into you and you'd best enlist the assistance of your own to counter it.
