When I assess security, I start from my adage:
The only secure computer is one that is physically disconnected from any network, is a mile under ground, buried in 10 feet of concrete, with an embedded Faraday cage.
Then, I work my way up from there, evaluating every compromise I make, whether it's absolutely necessary.
Security measures will greatly depend on the organization, but here are some of the things I do (besides the obvious: not clicking on email links, not responding to "Nigerian princes", encrypting sensitive emails, etc.):
1) I turn off my cable modem when I go to sleep, or leave the house for more than 15 minutes. I have a convenient foot-switch attached to it, that I call the "ECH switch". I'll let you guess what it stands for. :)
My firewall logs show a break-in attempt every few minutes (port scans etc., mostly from Chinese and Russian IP addresses).
My computers are behind several layers of firewalls, but physically disconnecting my LAN from the internet for hours, greatly reduces the window of vulnerability.
If everyone did this one simple thing, we could greatly increase the down-time and cost for the bad guys installing / running their botnets!
Even if someone's computer is already compromised and the person is completely incompetent, at the very least, it would cause an 8-16 hour downtime per bot ("zombie"). Millions and millions of botnet agents would be down for 8-16 hours, every day! This would be a huge blow for botnet operators.
2) Disabled WiFi in my modem.
3) The most sensitive computers (the ones controlling our robot prototypes, CNC machines, etc.) are physically disconnected from all networks, with their RJ45 jacks (Ethernet) disabled / desoldered and with no wireless hardware.
4) I don't allow any computer with any Microsoft software, on the local network.
5) I obsessively back up my data and keep those off-site (encrypted), even in other countries when I travel. When I leave the house, or after working for more than an hour, I back up all my recent work.
This helps with regression testing, it protects me from my own potential stupidity (accidentally deleting important files) and from any kind of break-in + ransom demand to release my data: I don't care. In the worst case, I can just pull the plug, reinstall the OS and get my data back from the backups.
For always-online servers, you should have one or more non-internet connected fail-over systems ready to go, in case of an attack on the primary system, and a "honey pot" for luring away / catching break-ins.
Do some of these measures sound draconian to many people? Sure. It all depends on how much security you need.