5. Practice Application Tough Love
To really maximize security in a minimal amount of time, as part of the "acceptable use" policy, prohibit users from installing unauthorized software on PCs. "Then enforce and ensure you're only running the software required for the business to function properly," says Abrams.

This simpler-is-better approach improves security and saves time because third-party software is more prone to harbor malware, and create security holes -- and it requires additional time to patch. In addition, if the PC gets infected with malware -- which is notoriously difficult to eradicate -- it's much faster to wipe and rebuild a PC using a standard disk image build, without having to install additional applications.

6. Don't Panic, Plan
If something goes wrong -- in a security sense -- will employees know what to do? "When there isn't an IT person on staff 24 hours per day, as is typical in many small and midsize businesses, people need a response process, at least from a coordination and communication perspective," says Webroot's Eschelbeck.

This requires time for planning and thinking ahead, admittedly a rare security luxury in the typical small and midsize business. Even so, "have an emergency response plan: anticipate a successful attack, and know what to do about it when it does happen," advises Abrams. In particular, who should employees call if their security software says they've been infected with malware?

When planning for emergencies, be especially cognizant of legal requirements. For example, if a company stores customers' personal information, more than half of all states have now passed so-called data breach notification laws, requiring the company to notify all state residents if that information is lost, stolen, or suspected to have been breached.

7. Backup is a Virtue
Theft, hurricanes, tornados, destructive malware, burst pipes, hard drive blow-outs, electrical fires, irate co-workers, and even malware: none of this matters to data integrity, provided the data's been backed up. Of course while everyone knows they should back up, few do. Accordingly, it's up to IT to safeguard corporate data.

Consider deploying automated backup software, and ensure the resulting backups are not stored on-site, to guard against physical disasters. Or for greater automation and ease of use -- though not always a lower price -- employ an automated online backup service.

8. Auditing: Watch the Watchers
"If the antivirus screams, and there's no one around to hear it, is it really a virus?" asks ESET's Abrams. "You have to audit your logs, and understand, am I being attacked? Because if your IDS is saying I'm deflecting all this stuff, then you want to know, because attacks will shift until attackers get in."

Even for small and midsize businesses without an intrusion detection system still study antivirus logs to monitor top attacks, and also keep an eye on basic server security settings. "Hackers will change security setting to make it easier to come back, and noticing there is a security setting change is often your first indication of an attack," he says.