1. Policies - Everything from who gets what kind of permissions to how you treat passwords. Password policies are critical (IMHO) - because
this is where you are very likely to see an attack. Some guidelines regarding passwords -
- Are they long/obscure enough?
- Are they ever transmitted via cleartext (without encryption)? Chat logs, and email DBs are full of unencrypted passwords.
- Do users keep them in a digitally secure store or are they written down in people's daily planners?
- Are they changed when people leave the organization?
- Are your backups secured?
- Do you have policies regarding creation and storage of non-backup copies of DBs?
2. Network security -
- Is your network hardware being kept updated - there are routinely security holes found in the software/firmware in the products of major
brands of network suppliers.
- Is your network being actively monitored for intrusion / sniffing?
- Are all the other computers that you share local network resources with secured?
3. System security -
- Is your OS up to date?
- Are all unnecessary services turned off?
- Are your IP ports being actively scanned and monitored?
- Is your system adequately partitioned so that successful attacks on one users or clients account will not effect other accounts?
If you don't believe that individual's computers can be hijacked take a look at these:
Also if you are serious about protecting a sensitive (political) clients business from cyber attack you should also consider -
- Denial Of Service attacks
- Ability to restore from catastrophic failure
So what's a reasonable solution? Get a security audit and then outsource! Very few organizations have the time or expertise to deal with these issues in a comprehensive or effective way. If you want to find out how vulnerable you are then have a pro do an audit. If you want to build a secure environment yourself - great - but you will spend lots of time and money doing so. Find a host you trust and let them do the heavy lifting for you. You will still have to implement decent organizational policies however - otherwise your security is useless.