Hire an outside security consultant to conduct a full security audit. Make sure the consultant or firm is not connected in any way with anyone in an authority position in the company. Read the security audit report. Follow all the security audit recommendations without "penny pinching" on costs.
This is proper solution, but in reality, this will almost never happen, unless for big companies with big wallets, SMBs won't. Problem is even the chief admin has a good knowledge of what security measures have to be employed, he will be hampered by the CEO and his accountant manager. They rather invest on ads than securing network until it is too late; and even then, they want a cheap solution. Saw it too many times.
The real truth is that the Powers that Be in large corporations just don't have the financial incentive to upgrade security, and I attribute this to Public apathy (definitely lack of outrage). Consider Home Depot- they suffered a breach in late 2014 where over 56 million credit card numbers were stolen. Home depot was sued and eventually the Class Action Lawsuit was settled; the total cost of the settlement was about 25 million USD. But please note that after a very brief dip the stock gained and has continued to do so. Total market valuation gain has about 35 BILLION USD. So 25 million is a totally insignificant sum, and even the security remediation was trivial (the below are directly from the Court ordered settlement): 1). Performing routine assessments to identify risks to the security of customer information on its systems; 2). Implementing reasonable safeguard to manage those risks; 3). Educating and training its employees on the privacy and security of customer information; and 4). Encrypting all payment card data at the time that the data is entered for a sale, implementing EMV chip card technology, and Home Depot cannot retain payment card data after the transaction is authorized. The monetary penalty was insignificant, the security upgrades are almost laughably rock bottom, and the Public could care less. So why should the CEO and the Board worry?
