JumpCloud provides a lot of authentication for a lot of companies. Because of this, it is assumed that they are going to be hit by nation states, and they are going to need to prepare for that. None of this is rocket science.
This kind of arrogant bullshit aggravates the hell out of me. You think it's simple to protect again state-sponsored hackers? You think all you need to do is follow some "Best Practices" guide? Think again.
As an Administrator, you can follow every best practice, and patch 1,000 vulnerabilities, and it only takes one exploit to knock you over.
Let's consider just one best practice - the timely install of security patches. Do you know what happens when Microsoft releases a security patch? Assume it's for a newly-discovered vulnerability that they have been keeping secret until a patch was available. As soon as the patch is released, hackers will reverse engineer it to see what software components it affects, and will figure out how the vulnerability can be exploited. Then, because they are constantly port-scanning huge portions of the Internet and logging open ports, including specific version information on listening software, they will already have a list of vulnerable targets to be attacked. Then, after gaining a foothold on the network, they'll use hacking tools and additional exploits that you've never heard of to move laterally.
People who've ever been on the receiving end of a sophisticated attack don't go around yapping about how easy security is.