What companies should be doing to protect their computer systems—but aren’t.