Anyone who visits here to check out my ramblings knows I tend to talk lists. This time I’m beginning a list of 10 ways a business can boost its IT security.

#1 Never forget: Your security is only as good as its weakest link, so build your defenses in-depth and ensure someone is watching your security devices and processes.

Given enough time and resources, an attacker can breach any defense. But attackers’ time and resources are limited — hence they choose easy targets over tough ones.

Your goal is to always be a tough target. Since any single defense has its limits, you want to layer your security and never forget the first rule of defense-in-depth: There is no such thing as total, complete security against threats. Layered security serves to hinder a threat’s progress until either it ceases to threaten or additional resources can be brought to bear. 

#2 Use these guiding principles in designing and deploying your organization’s security controls:

• Identify what information is of highest value and how it is protected,
• Focus your defenses on the most common and damaging current and anticipated attack activities,
• Implement consistent controls across your organization,
• Automate your security efforts wherever you can and measure performance whenever feasible,
• Figure out which technical activities your organization needs to undertake for more consistent defense against frequent, well-known attacks,
• Identify and fix root causes of security problems to ensure the prevention or timely detection of attacks,
• Establish security metrics and common terminology so everyone in your organization can communicate effectively about risk.