Patch Early, Patch Often
Patching is absolutely necessary and (almost always) absolutely free. It's amazing to have to say this, but the first thing to check--right now--is whether you are up to date on all your patching. Set an iCal/Outlook reminder and do it monthly. A good time would be the second Wednesday of each month, since Microsoft releases its security updates on the second Tuesday. Or you can tie the task mentally to paying your mortgage or rent--as you're writing that check, also "check" for updates.
I don't mean just double-click on Windows Update, either. If you haven't activated Microsoft Update (a variation of Windows Update), you won't receive any Microsoft Office updates. But don't stop there! Make sure you visit Adobe to update your Flash plug-in and PDF Reader software. Firefox does a good job of pushing out updates without user intervention, but it won't upgrade you to a major new release, so check the Firefox site as well.
I continue to light candles and wait for the day when Microsoft will open up its Windows Update infrastructure for all Windows software publishers to push their updates through one centralized location, automated, and with just one click. Until that day, try using software like Secunia's Personal Software Inspector (free for personal users) that will scan all software on your computer and give you a consolidated look at where security patches are missing.
I've audited networks with IT managers who were quite proud that they update their antivirus signatures every 5 minutes, but they had critical servers with stock versions of Internet Explorer and Adobe, and missing OS patches from 2007! Some reports have claimed that the success of the attack on Google was due to an employee using an outdated Web browser.
Just last week, Google announced that they would be dropping IE 6 as a supported browser from their Google Apps and Google Docs services. When manufacturers release newer, more secure versions of software (I'm looking right at you, Internet Explorer 6 and 7 users), upgrade to the latest version. The 5 minutes that you spend watching the installation progress bar is well worth it in terms of the security provided by such newer technologies.
Hardware needs updating, too. Inventory your hardware and check up on firmware updates (just as important as software patches). Twice a year, look on manufacturer Websites for any hardware with a network port--not just your routers and switches, but also your multifunction copiers, your restaurant POS terminals, your Blu-ray player, your PBX, and your Twitter-enabled coffee pot.
Don't Let Bob Stop You From Running a Secure Network
Customers often claim that their servers aren't patched because "Bob says so" and he is the Dev Manager or the VP of Sales, and their custom application won't run on the latest service pack or requires an ancient Web browser with all security features disabled. This is an unacceptable business risk in my opinion. If a particular division within the company runs software that precludes them from running the latest security patches, IT needs to isolate those servers in your network the way that it would segregate classified networks from unclassified networks.
Sign up for CIO Asia eNewsletters.