Every company should have written and enforceable IT policies. Policies should document who is responsible for security. Acceptable use policies should be in place so everyone in the company knows what their employer expects from them regarding computer use and security.
Companies should educate their employees about current IT security issues, so everyone can work together to identify and resolve threats. IT policies for dealing with employee terminations should be in place to mitigate the possible impact of vindictive former-employees.
A password policy should be enforced in the company that defines the minimum length of a password, how many special characters should be included in a password and how often users must change their password.
Companies should have designated administrators charged with maintaining safe security configurations on all computers, routers and other end points. Software should always be kept at current version levels throughout the business and a commercial firewall should be in place.
Although often costly, companies should install an intrusion detection system. These ultimately save money by allowing companies to react to attacks before they become devastating. Companies operating on a shoestring should consider using an open source intrusion prevention and detention system. This comes in the form of a software download installed on a stand-alone server.