Allegedly, on or about 10 May 2016, Patrick O'Callaghan sent:
Much more important is to keep tight control of logins from outside your network. Only allow SSH, don't allow it to the root account, only allow it using token (not password) access, and run fail2ban.
If you run externally accessible mail services, then you should disallow plaintext authentication. That will stop mail clients from transmitting the user's password in the clear. Likewise if there are web server pages that require a login (ensure it's only allowed through an encrypted connection).
You should probably disallow it even for internal services, there could be something snooping on traffic elsewhere on your net. While some will say the war is already lost if they're doing that, I tend to feel that you're checkmating them if they can't get anything useful.