With the current economic times bringing an increase in security breaches, you can't wait any longer to get everything locked down. Here's the first defense layers to get you started:
Make sure the firewall is on for all of your computers. If you don't have a centralized firewall/NAT router or if you have a laptop and you connect to the Internet outside the office, this will be your only defense against attacks. An unprotected and unpatched machine will at most last four minutes on the Internet before it is compromised. For this reason alone, keeping the local firewall on all the time is a must.
Make sure that you have anti-virus, anti-spyware, and anti-malware software installed. Almost all vendors now package these all together.
Make sure ALL of your software is up to date. This includes Windows, and your anti-virus software, and software to protect you from spyware and malware, and any other software that you have installed.
Back up all of your computers. Hackers are not the only problem; sometimes it's just bad luck. Ever had a lightning strike zap all of your electronic equipment? We know that we don't want to restore from backup on every lighting strike. That's why we all have surge protection in our uninterruptible power supplies (UPS). But when was the last time that you replaced your UPS? Backing up your computers is another mandatory layer of protection to keep your business running. (pq)
Have you ever had a hard drive go bad? Backups and RAID are the major layers of protection against this bad guy. Since RAID is a little more complicated we'll just stick to backups for now. Regardless of what media you use (tape, hard drive, online, CD, DVD, or BluRay), you have to be doing regular backups and verifying that your backups are successful. The only way to test that these backups are successful is by testing the restore and verifying them against the original files. That way, in a time of need you won't be let down. If you haven't started this task or your current solution is too time consuming, check out http://vault.alamode.com and the appraisers who have used Vault to recover from disaster. From Katrina to a crashed computer, don't take my word for it, read the stories from appraisers just like you.
Lock your computer. Anytime you are away from your desk, just lock your computer. I know it seems like a big hassle when you're first start doing it, but it soon becomes habit to do it automatically. Windows even has a short cut. Just hit the Window key and L and your computer is locked. That way the janitor that cleans your office at night can't help themselves to some of your data. Even if you work from home, it's a smart, safe habit to develop.
Use a strong password for everything. Your passwords should be at least 8 characters long. The longer the better. It shouldn't contain any word in the dictionary and should include upper and lower case characters, numbers, and special characters (&,$,@,!, etc). I know that seems impossible to remember. Here is a trick that I use. I create a sentence that I will remember, then take the first letter of each word and make that my password. For example, "I miss my dog Red, the cocker spaniel". The password becomes: !mmdR,7c$. That way when I am typing in my password I just repeat the sentence to myself. Notice that this password has a length of nine, uses uppercase and lower case characters, has a number (I replaced the "t" with a 7 since they kind of look alike) and two special characters.
The reason why this is important is best understood if you understand how "cracking" a password is done. The easiest method is to simply guess. The hacker uses specific information that they know about you. That's why it's important not to use your name or something that's associated with you. Examples that you shouldn't use are your pet's name, your license plate, date of birth, etc. Another method is to use a dictionary attack. A dictionary attack is when a hacker downloads a list of words from the dictionary, and then uses an application to automatically loop through this list, attempting to use each word as your password. This is why it is important that no part of your password can be found in the dictionary. Another common method is through brute force. Let's say you have a password that is one character long and you only use lower case. The hacker would start with the lower case "a" and go through the lower case "z". At worst it will only take him twenty-six tries to guess your password. If you add upper and lower case letters it will at worst take the hacker fifty-two tries. Now you can see why the length, and the mix of numbers and special characters are important.
If you use a wireless router in your home or office, make sure that you encrypt your wireless traffic using WPA2. If your router or access point doesn't support WPA2 then you need to upgrade. Currently the encryption technology WEP is not secure and can be compromised in less than five minutes. DO NOT USE WEP or WPA.
If you're storing sensitive information on your desktop, laptop or a portable storage device like a USB key or memory stick, consider using encryption. If you lose your laptop or USB drive this data will be safe as long as no one else has the key. There are many vendors who provide this type of software.
Keep yourself up to date. Subscribe to a free newsletter from the SANS Institute, one of the leading providers in technology security. Here is where you can go to view the past newsletters: http://www.sans.org/newsletters/ouch/
Install a firewall/NAT router for your office. These are centralized firewalls that provide a barrier between your network and the Internet. So why do we need this one also? This centralized hardware device protects while you are getting the patches. Again security is about layers. This is one of those required layers.
Security is much more than the above list, and security isn't absolute. It is your job to put as many layers between the bad guys and your data.