You rob banks because that’s where the money is.
“Scam Targets Tax Data,” The Wall Street Journal, April 4, 2016 C1. Scammers spoof an executive to get others to send huge files of W-2 forms or similar information, that can then be used to file and collect fraudulent refunds.
The weakest link isn’t your IT infrastructure and firewalls, but rather your gullible employees. How does the company prevent its employees from doing dumb stuff with highly sensitive documents?