9. Minimal privileges
It's hard to imagine, due to the risks, but some organizations still run desktops with administrative privileges. To avoid constant requests to install or configure software, IT operations sometimes allow users to install whatever they like.
End users generally lack the expertise needed to identify malware, so they often fall prey to it. Additionally, insider threats are very real, and by running your desktop machines in this manner you are simply asking for security nightmares.
To reduce the potential damage that Web-based malware can wreak, users should only be given the minimum amount of privileges they need to do their jobs.
Thankfully, I'm seeing less and less of this problem in my consulting engagements, but I do still run into it, and I laugh (and sometimes cry a bit) when I do. Reducing privileges simply makes security sense.
10. Thinking defense in depth
Don't be lulled into a false sense of security that many security products seek to give you. No single effort, action, product or service is a security cure-all.
What is required is a comprehensive, consistent effort to reduce your risk by using the aforementioned methods, which are just a few of the many good security practices you should adopt. Security isn't a simple point-and-click solution, but rather a concerted, ongoing, multifaceted, iterative process.
While these top 10 techniques don't make up the entire exhaustive list I could provide on this topic, they are a step in the right direction. Technology alone doesn't make your organization more secure, but having a holistic view of security can lessen your Web-borne risks. With the rise and continuing evolution of Web-based malware, cloud computing and mobile devices, there's no reason to think these risks are going away anytime soon.
So, take a holistic defense posture, investigate your Web-based threats in-depth, and reap the reward of fewer risks.
Joseph Guarino is CEO of consulting company Evolutionary IT.