One of the biggest threats to an organization whether in the commercial or government sector is being compromised and not knowing it.

One of the biggest threats to an organization whether in the commercial or government sector is being compromised and not knowing it. Advanced Persistent Threats (APTs) often use covert malware that sits inside of a network for months or even years exfiltration sensitive information of interest to the attacker. A traditional way of implementing cyber security is to protect everything with a firewall. While this is important to do it is also true that even if everything is secure on the perimeter the weakest link can be the users on the inside. If an attacker can socially engineer their way into a network with a phishing attack, then they are able to bypass the perimeter security. This is one reason that there has been a paradigm shift among some security professionals and security companies to assume a state of compromise. Those that adopt this shift are focusing more resources on detecting and responding and less on prevention technology.

Given this information, you have just been assigned by your employer to provide some best practices and a plan to defend against advanced attacks.  What would you recommend and why? 500 words w/ references