1. Security is really about perception, and perceived barriers to entry.
2. Overly complex passwords end up being written down. Great if you already have secure locations that are difficult to access, bad if you have many public entries.
3. Sadly, MSFT was right about Security through Obscurity. The less visible a resource and entrances are, the less likely people are to try to hack them. The more boring, the better.
4. The most effective way to defeat security is through human social engineering. Every time. Without fail.
5. see 4.
6. But password encryption rules! see 4.
7. The greatest number of security breaches has always been through portable devices not secured properly and physically stolen or borrowed. Laptops, cell phones, those all have Internet. There's your most likely security breach.
8. See 7.
9. If you're worried about the NSA CSIS or other agencies, you're wasting your time. They're already in your systems. But they're stupid, and have no idea about old school WW II and thereabouts tradecraft. Use that. It will drive them insane.
10. Most security methods from WW II are still useable. Dazzle paint still defeats human facial recognition. Ministry of silly walks still defeats pattern analysis of human following on security vids. Really. Kind of surprising, but true. Mostly because modern intel agencies are too stupid.