To know yourself and to know your adversary, first you have to think about what kind of information you have on any computer or network that's connected in any way with the Internet. Do those computers contain your employee information in any form? Customer data? Credit card numbers? Perhaps those computers contain your business banking information or even designs for new products or detailed product or process specifications.
The next step is to think about who would benefit from having any of that information, even in partial form. "You need to worry about competitors," Chapman said, but he adds that actual cyber-crime from a competing company is unlikely. "Breaking into your system is a very risky business. If they got caught, their losses would be incredible"—not to mention jail time if caught and convicted.
But a very real threat is the same cyber-criminals who try to steal credit card information elsewhere. The key there is to keep your sensitive information somewhere they can't reach easily. "Make sure risky items like credit card processing are outsourced," he suggests.
Chapman said that most banks will handle all credit card processing for their customers. It's worth noting that this might cost more than handling credit cards some other way, but it's far more secure. "Then you're protected by the bank's security," he said.
This also means not keeping payment information on your own computer systems. While it may be convenient, it's far safer to just ask your customers for their credit cards each time they buy something. The fact is, if you don't have such data, nobody can steal it.
Training employees extensively on good security practices is also necessary, Chapman said. This may mean teaching them through hands-on practice what a phishing email looks like, how Web-based malware can affect your business or how not to leak information that would make things too easy for criminals.
"I've seen restaurants put their IP address, their login and password on top of the computer," he said. Adequate training can make a huge difference because it helps employees avoid making really bad mistakes and it helps them recognize a threat when they see it, and teaches them whom to tell when it happens.
But even if all of that works, Chapman's first point comes into play. Your business needs to have somebody with adequate resources to do something about security threats when they turn up and the ability to look for threats during the normal course of their day. Otherwise, someone could download 100 terabytes of your data without you ever noticing.