It may sound obvious, but it's usually your fault if an account in your control is used to do crime.  There are tests of reasonableness, and employees are usually not held personally liable for errors made in fulfillment of their job duties, but if you own the business, the loss falls on you.  

Phishing is just a con artist trying to swindle you over email.  There's nothing new about it, and will probably always exist.  

Edit: see a second response here addressing more specific scenarios.

I enjoyed this recent piece by Troy Hunt, the celebrity creator of havibeenpwned.  He departs from his usual technical topics, instead discussing the skills he's had to practice in the last year to stay effective while under more stress.  Call it confirmation bias if you want, but I already believe in the strategies he describes - being goal oriented, thinking of setbacks and failure as normal, and stable routines.  

I especially like a new twist he adds to his goals:

Regina is a rock of her community.  She has run a bakery/cafe in Memphis for 20 years, which now hosts some kind of event, group, or local music almost every night.  When she gets involved in a community cause, she often offers to host at the cafe.  She works hard to welcome everyone, and her customers are loyal.  Regina is proud of the difference she has made in the community and the re

A lot has been written about Agile and its faster and crazier sibling DevOps.  I won't repeat it all here, but I'm generally sold.  For those that aren't convinced or are trying to convince others, you may like this great infographic that explains the most important parts.  This time, it's an artist describing their process of creation, but the same lessons hold: failure (that is: a non-ideal outcome) is not shameful.  It is an inherent part of creation, and to think otherwise is just lying to yourself.  Building something of va

Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner.

There are several standard processes that most organizations will need to keep the inventory healthy and credible.  Some can be integrated with existing processes, but none can be totally eliminated.  CSC 1.6 proscribes the largest and most important kind of standard work: triage.  

Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network. Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network.

 

1.1: Utilize an active discovery tool to identify devices connected to the organization's network and update the hardware asset inventory.
1.2: Utilize a passive discovery tool to identify devices connected to the organization's network and automatically update the organization's hardware asset inventory.