Identify threats to your network and business. Compile an asset register of company data based on its value to your organisation, and only then implement the security tools and components of choice.
Do not connect systems to the internet without “hardening” them and disabling default passwords. Assume attackers know all security products, so avoid using default settings.
Use encrypted protocols to ensure data confidentiality and integrity and non-repudiation of transactions. Take no chances by allowing unprotected, unencrypted data to travel between two points on the network.
Never assume you are secure just because you have no evidence of attack. Without watertight security measures in place this cannot be guaranteed, and no visible sign of attack does not mean an attack hasn’t happened.
Use specialist IT security staff with experience and up-to-date training. There are few things worse than a firm believing its systems are safe when they are not.
Never implement firewalls without antivirus software and intrusion-detection systems. Security policies are not about using just one device or components but combining several.
Keep people informed. Users need to be educated and regularly updated about potential security problems and how to deal with them.
Update virus protectionsystems frequently and upgrade to new software versions quickly. New viruses appear daily.
Be responsible. Like physical security, it is conceivable corporate insurers will refuse to pay out for having insufficient security. Company officers have a legal and personal duty to ensure company data is safe and as e-businesses grows, so will the risks to the organisation.