"Even though this lady was doing the right thing, in this environment in Spain, it seemed like the men overruled the women," says Milam.
Despite the company's ultimate failure to protect itself, however, the initial resistance was a good start and in some cases might have even been enough to deflect less persistent threats. Other simple measures that make life more difficult for attackers -- like limiting egress points or having all employees funneled through one point, says Milam -- go a long way, too.
Perimeters are expanding too, which also has to be taken into consideration when planning security. "There has to be more than one security perimeter," says Besse. "Barriers have to be designed in perimeter zones, so if a perimeter is breached, that doesn't put the adversary in direct contact with the asset. It provides the earliest warning possible that someone or something is attempting to penetrate the security of an organization."
Even the outermost zone should present a difficult front for adversaries, however, because the more adversity an enemy encounters early on, the better. As Besse points out, attackers aren't going to waste their time on targets that stonewall them.
"This is a core premise I've noticed over years in the field: attackers attempt to breach the perimeter, and if they determine it's difficult, they often move on," says Besse. "They're going to move onto the path of least resistance."
That's why, he says, regardless of what you're protecting, you obviously don't want to be the softest target. But the other side of the coin is that being the hardest target doesn't always make for an easy road either.
"You might want to be the hardest target," says Besse. "If you're the government protecting nuclear weapons or military assets, then you might very well want to be the hardest target. But there's going to be a cost associated with that."
So if a company is dealing with a budget, like most organizations or enterprises are, they should perform a thorough assessment of their risks and whether or not they're really all that great. From there, they can determine what their potential losses are and what their level of protection should be.
"And sometimes," says Besse, "being the hardest target makes you an attractive target."
Sign up for CIO Asia eNewsletters.