While some hacks truly are sophisticated, nation-state attacks, many more are the result of simpler exploits or just social engineering. After the details of such a compromise are released, people comment about how organizations should be doing at least the "basics" or "fundamentals." So what are the fundamentals? And at what point do you cross over into intermediate or expert practices?
I have my opinion, but let me first share a couple official lists: