Twenty-Four Seven Security

This list comes from CNN Money.

1. Patch early and often. With zero day attacks growing along with the number of patches being issued, test and install security patches ASAP.

2. Enforce password policies. While it’s well established that passwords should mix letters and numbers, uppercase as well as lowercase, do not let the desire for perfect passwords get in the way of good security – as the more employees are required to change their passwords, the more they are apt to write them on Post-Its.

3. Mind your VPN. Telecommuters can collect nasty viruses and malware which can then migrate to the corporate network, therefore limit virtual private network access only to company issued laptops configured to your security policies.

4. Watch your wireless. Securing Wi-Fi is only the beginning. The newest trick is the “evil twin” attack, which creates a similarly named fake wireless network in the hopes that an employee will log on and not notice the discrepancy, thereby revealing user name and password.

5. Only make promises you can keep. When the FTC investigates a company, it’s usually because the company exaggerated their claims, as in falsely claiming that customer data is only stored in encrypted form. Therefore, make sure you walk the talk.

6. Hack yourself. Hire an outside auditor to breach your network just to get a hackers eye-view of your weaknesses.

7. Sequester sensitive data. Treat customer credit card and Social Security data as top secret and keep it on compartmentalized servers and limit accessibility.

8. Encrypt it. Use strong cryptography to protect sensitive data. An encrypted database left on a city street is more secure than an unencrypted one hidden in a bank vault.

9. Collect only what you need. Delete what you don’t. More than a few companies have been embarrassed after being successfully hacked for credit card numbers years past the actual transactions. Evaluate the inherent risk, and not the potential value, of the data you collect.

10. Phear phishers. Phishing has become so profitable it is no longer just a problem for Fortune 500 companies. Set up a responsive e-mail contact for customers who’ve received messages pretending to come from you, issue website warnings about fresh attacks, and train customers not to click e-mailed login links - by not sending any yourself.