At your company, implement outbound firewall rules. Most companies I work with have an "allow all" outbound policy for their users. While this may have been acceptable in the past, in this century I would not recommend running a business with such a permissive policy. You can start with restricting users to only HTTP and HTTPS outbound; this won't protect you from everything, but it will close down a large portion of outbound connections that may not be authorized. You can also use OpenDNS to restrict access to inappropriate Websites.
Most important (and most often overlooked), server and DMZ networks should allow only a few explicit outbound connections (such as outbound SMTP for your mail server). Modern packet inspection firewalls are smart enough to allow your Web server to reply to an inbound request for a Web page, but very few legitimate reasons exist for your Web servers to initiate a connection to the outside world.
To be sure, there are exceptions (business partner inventory interchange, or offsite data backup, for instance), but in general most servers respond to inbound requests for information and do not themselves initiate connections. If a hacker compromises your server, one of the first things he or she will do is to use your server to connect to another machine (either within your organization or back to their network). Leaving a rule for outbound access to windowsupdate.microsoft.com (and similar update sites) is perfectly acceptable. A blanket "allow all" policy is just asking for trouble.
Steven Andrés is Founder and CTO of Special Ops Security.
Sign up for CIO Asia eNewsletters.