is there a guide for corporate cybersecurity?

I can see faulting them for these lapses in security, but on the other hand I also don't have a guide in mind to point them to that they should make use of instead (obviously the guide they had was insufficient)