Here's a small scenario we saw recently.

Small company (~100 employees) is hit by ransomware - hardly newsworthy, but the backstory should be of interest to folks here.

First some background to set the stage:
==========================================
60% of SMEs that are hit by ransomware don't survive, the bigger cases are in the news almost every day, so obviously knowledge of the risk is widespread, so what happened here?

We're in an interesting position to have a little more insight into this than many. On the one hand, there's the B2B hardware sales, so we get the panicked calls from IT people needing hardware asap to stand up a "clean" environment.

On the other hand there's the support, managed services and forensics side of the house, where we may get a request for assistance from somebody who found us online or by word of mouth.

But the common thread in virtually all of these conversations is, "we thought we were secure".

But why? Most modern security applications can detect and stop ransomware long before it does any damage, and in almost every case what got in was something that's been around for a few years already.
Why are companies still getting hit with "old" attacks?

There's a few reasons:

#1 - complacency - security is an ever-changing landscape, the system that was "the best" two or three years ago may be mediocre now, or even the worst.

#2 - depending on one system for protection - not only is cybersecurity ever-changing, the rate of change is such that no vendor's suite of products is ever perfect, each one is like a slice of swiss cheese, multiple layers are needed to cover the holes!

#3 - ignorance - internal IT staff are not dealing with a wide range of environments every day and frequently "don't know what they don't know", which can result in massive lapses that go completely unnoticed. Practices which would have been perfectly acceptable ten, or even five years ago may be a serious risk now.
==========================================

So what happened in the case of the failure I mentioned at the beginning? The company had recently been sold - in the few years preparation for the sale the owners had held off on every IT expense possible to make their numbers look better, including the renewal of a couple of key endpoint security services. (When their internal IT person objected strenuously he was laid off.)

In short, have a third party sanity-check things, (and I don't just mean penetration testing - that's just one of many tools in a tool-box).

So who does that? You'll be looking for an IT service provider who understands the company's industry, works with companies of similar size, budget etc, and has staff with enough years of experience to know that every environment has a "history" and sometimes even small things may be the way they are for a reason.

This kind of review is cheap insurance, it doesn't actually take very long, it's relatively inexpensive, and it could save you huge losses!