One thing missing from all these is a basic anti-phishing training for top folks in the company. Be sure that they who control financial string have a pre-agreed non-email pattern of, for example, CEO telling CFO to transfer money.