[freehunter]

The idea is that you shouldn't focus on making yourself "unhackable", because that is not possible. It's not possible to have 100% security. A skilled and determined attacker will likely get inside to some extent, even if it's just malware or access to an old unused server.

The point is to make detection and remediation important parts of risk management as well, not just prevention. Prevention is spell check, it's not always going to catch everything. Because the reality is, anyone (to your point, not necessarily everyone, but certainly anyone) can be hacked. Rather than focusing exclusively on a hard crunchy shell, make sure you can detect someone already inside and lock them down when you do. Corporate security needs to be right 100% of the time. The attacker only needs to be right once.

But yes, it's certainly possible that everyone can be hacked, and for certain definitions, it's completely likely that every company will or has been hacked (if you include malware, and information disclosure). How much malware is on your network that you don't know about?