Effective Information Security uses a layered approach 

Device Security

Make sure that unused software is removed from computers including software services as well as installed applications

This reduces the amount of time you need to keep software up to date and will improve performance

Make sure you change default admin user names  and passwords on all computers as well as network devices such as routers

Keep key systems on separate computers to reduce the single points of failure both from a hardware perspective and from a malicious attack perspective.

Make sure that all laptops that may contain personal data use full disk encryption software

Make sure that any smartphones used can be wiped remotely in the event of them being lost or stolen.

 

Employee Security

Make sure all employees receive training and awareness of information security threats and procedures

Make sure you have a defined process for logging and escalation of security issues

Make sure that information security clauses are written into the employees contract of employment

 

Security Management

Make sure you produce policies on information security for ALL staff to follow

Make sure that you set time aside at regular intervals to ensure that these policies are being followed

Make sue you produce a list of all information stores (both paper and electronic) and identify threats and vulnerabilities for each store. You can then document ways in which you can mitigate these risks to your information security and this will enable you to start a central information risk register

Download or free Information Security Review Tool Free Information Security Questionnaire Template