Most organizations are very bad at computer security. They don’t patch well, and they have short, simple passwords that don’t expire. Yet there are jewels in the rough. They implement a few defenses that are so successful that they outweigh other stuff that might have been missed. These are shared traits of highly successfully secured companies: Little to no permanent members in admin groups. Remove or forcibly patched Java, even Java. If you can’t keep it patched all the time, get rid of it. You don’t need all the tasks that being a member of a super group allows.”]