You need to start with the general security of your network.
Which computers and servers store sensitive personally identifying information of your customers and employees. Do not forget employees’ personal notebooks and home computers connecting remotely. Do your digital copiers, printers and fax machines store copies of the documents that pass through them?
All connections to your network need to be identified. The connections could be the Internet, branch offices, electronic cash registers, service provider computers and wireless devices.
Determine the vulnerability of each connection. You may want to hire a professional to conduct a security audit.
Isolate computers containing sensitive information from the Internet either physically or electronically.
Use encryption for sensitive personally identifying information. Always encrypt sensitive information send over the Internet. Encrypt backups whether they are kept on-site or stored off-site. You may want to encrypt portable store devices – USB drives, Flash Drives, etc. Even encrypt internal email that contains sensitive information. It is too easy to Cc an outside email address by mistake. If notebooks must contain sensitive information, their hard drives need to be encrypted and password protected.
Anti-Virus and Anti-Malware on servers and PCs need to be kept updated. Security updates from Microsoft also need to be kept updated. There is also software available for smart phones.
Limit and secure wireless connections that are connected to your network. You need to educate your employees not to log onto your network or other secure sites using public hot spots with notebooks and smart phones. Simple packet sniffers can capture user names and passwords.
Web applications for outsiders to get or leave information should not have access to your network. A separate isolated system should be used. Your web server should never be connected to your network.
Don’t become a headline. Keep the hackers out.