Version 3 of the SANS 20 Security Controls includes integration by the leadership of the Australian Defense Signals Directorate. This includes 35 Mitigation Strategies that were developed and prioritized to prevent targeted computer attacks. Four of these are listed as mandatory and are known as the Sweet Spot.
These are Patch Applications, Patch Operating Systems, Minimize the number of users with domain or local administrator privileges and Application Whitelisting. These areas will be explored in detail and serve as a means to get wisdom as cheaply as you can.