2. Patch Your Vulnerabilities, Fast
An effective security program requires keeping operating systems and applications patched, "because otherwise you'll probably defeat all your other mechanisms," notes Abrams. The goal, then, is to patch PCs and servers expeditiously.

What counts as fast? "If you'd asked a year ago, I would have said quarterly is fine, but I see more of a move to monthly, especially with more vendors -- and not just Microsoft -- getting on this monthly [patch-release] cycle as well," says Gerhard Eschelbeck, CTO of Webroot. An effective patch plan, however, requires making choices: "You can't fix everything; you have to be practical." Accordingly, tap an external resource, such as the SANS Top-20 Internet Security Attack Targets list, to determine which vulnerabilities to patch, and in what order.

In addition, automate as much patching as possible. Smaller shops -- the vast majority of which run Windows -- can simply ensure Windows Update runs frequently. Larger small and midsize businesses, meanwhile, typically employ dedicated patch management software, to offset the increased time required to reliably patch larger numbers of PCs.

3. Passwords: Say No to "Fluffy"
So much access today still comes down to passwords. Accordingly, "make sure employees use effective passwords, and where possible, use multifactor authentication technology, because believe it or not, employees in small businesses especially will use their names as logins and passwords, which is not very hard for a hacker or online identify thief to figure out," says Teixeira. Indeed, dictionary attacks -- automated attacks which rapidly use thousands of known words to guess a password -- may chew through such permutations in minutes.

Here's a handy solution: Teach users to avoid using actual words, and instead to use the first letter from each word of a long sentence they memorize. See more tips in Build a Better Password.

4. Define "Good Behavior"
What's acceptable behavior? While "you may know it when you see it," companies can't expect to easily enforce it, operationally or legally speaking, unless they've codified it in writing.

Enter security policies and procedures. "Users will do stupid things, and you have to have policies that you're able to enforce, to at least curb some of the deliberate things users will do," says Abrams. Indeed, procedures tell employees what is required (changing passwords every 30 days), or prohibited (viewing adult Web sites).

Setting policies doesn't have to be expensive, time-consuming, or difficult. For example, the SANS Institute Security Policy Project offers 30 free, model policies online, and the not-free "Information Security Policies Made Easy" book and CD-ROM offers over 1,350. Don't, however, just add the company name to the blank spaces. Instead, train employees on policies, make them accessible by storing them in a prominent location on a shared network drive or the intranet, and revisit them regularly. Finally, treat policies as CliffsNotes -- checklists and cheat sheets -- for negotiating feature sets and service-level agreements with consultants, outsourcers, and software vendors.