You don\u2019t have to look into a crystal ball to find peace of mind when it comes to security. CSO Magazine presents 10 relatively low-labor changes you can make to achieve significant improvements in enterprise security.#1. Help high-level decision-makers to understand.\u201cHelp your top-level executives to be truly aware of the nature of the security situation and to take on their risk manager responsibility in a serious way,\u201d says Fred B. Cohen, an American computer scientist best known as the inventor of computer virus defense techniques.[5 non-traditional hiring tips for InfoSec ]To do this, use an external advisory committee comprised of people who know security and know how to talk to executives. To help leaders to hear and understand advisory committees, send them to an executive off-site security training or hire an initial security assessment of your organization so they can see where they stand and work to bridge the communication gap.#2. Don\u2019t collect information when it is more harmful than beneficial.\u201cI know it\u2019s convenient to store credit cards and use them again next time. But that\u2019s also why some big box stores had to pay a price for losing them and why people had to change their credit cards for everybody they dealt with,\u201d says Cohen.The same goes for any PII, including email addresses. \u201cI bought something online from a very large big box store because they didn\u2019t have it in the physical store. I had to provide an email address. They just got millions and millions of these ripped off and they are collecting more,\u201d says Cohen. When the harm outweighs the benefit, just stop.#3. Check the inputs.Check inputs into software programs and databases at the place where you actually use them, not at the browser, and most of the bad things that happen would not happen, says Cohen. \u201cAll the big database rip offs using SQL injections and other input overruns happen because you don\u2019t check the inputs,\u201d says Cohen.Check the size, syntax, and context of the input data \/ characters that people typically enter into an input field. \u201cIf they\u2019re putting in a Social Security number, it better be in the format of a Social Security number. And regardless of what checking you did in the browser, you need to check it at the place where it arrives, not where someone sent it from,\u201d says Cohen. Do the check when it arrives from the untrusted source (such as a browser) to the technology that interprets and uses it. \u201cThis is trivial to do and trivial to check that someone did it,\u201d he says.#4. Contract, insure, test.Whether you require a software vendor to check the inputs to the programs you purchase or that any vendor provide a product or service as agreed, if it\u2019s something you must have, especially for security, put it in a binding contract.Have liability insurance in the event that the vendor did not do it. Require that the vendor have insurance in case they don\u2019t do what they say they will. Ensure that there are stipulations in the contract that the vendor must test that they did what they said they would.\u201cIn the case of the software inputs, there\u2019s testing called fuzzing that is very inexpensive,\u201d says Cohen. Use an independent testing lab for the testing. Require the lab to certify the test. Make sure the testing company has insurance.#5. Architecting security is cheaper than designing, implementing, or coding itMany enterprises have flat networks. \u201cThey have firewalls, but inside the firewall they have a bunch of compute and that\u2019s it,\u201d says Cohen; \u201cit\u2019s a hard shell with a gooey center.\u201d Hackers use phishing and other attacks to get beyond the firewall and into the gooey center.\u201cIf you architect your network, partitioning it into zones and micro zones, you can differentiate how you protect servers from how you protect workstations,\u201d says Cohen. You can have a network that will operate properly even though parts of it are failing due to attack. Then even an attack that is successful is only partially successful.#6. Defend using deception\u201cDeception technologies change the leverage between the attacker and the defender so that it is easy for the defender and hard for the attacker,\u201d says Cohen; \u201cdeception is relatively easy to do.\u201dHackers search for vulnerabilities in your protocol space, address space, and services. With deception, where you don\u2019t have a webserver running on an IP address, you have a deception that looks like a webserver to hackers.They hit that and try to break into it. After the first 50 or so times that the same user tries that, a network device that is watching will make sure that user gets a deception every time from then on. There are other types of deception.#7. Don\u2019t use security that turns users against youIt\u2019s about workload on the user, sometimes called security load. Security keeps increasing requirements for the user to interact with security measures. The user has to make increasingly complicated decisions. \u201cThe security load causes the users to make bad decisions,\u201d says Cohen.Popups are good examples. \u201cIt says, \u2018you\u2019re doing something that might be dangerous, do you want to proceed?\u2019\u201d The user doesn\u2019t know what choice is more secure. They do know that if they say \u201cno\u201d they can\u2019t proceed and so they can\u2019t get their work done. Security that puts these kinds of decisions in the hands of the user does more harm than good.#8. Offer an easy password selection guideUse an easy password selection guide to help users create strong, yet easily remembered passwords. The guide could suggest that users start with the title of a favorite movie, book, or item from any popular category and add characters to form a new password. \u201cThat way it can be easy to remember what characters are capitalized and where the punctuation marks should go, such as with the password Ghost^Busters!2?,\u201d says John Zurawski, vice president at Authentify.#9. Require longer, stronger passwordsWith the new-found ease of creating memorable passwords, users should be less averse to using longer, stronger passwords. Here\u2019s why long and more complex passwords naturally help.Hackers don\u2019t attack passwords manually by guessing at character combinations but rather use brute force attack software to crack passwords. \u201cA 16-character password with upper-case and lower-case alpha characters, numerals, and symbols could withstand 10- or 12- days of concentrated brute force attacks, possibly more,\u201d says Zurawski. That may be long enough.\u201cTypically when hackers steal password files, they settle for cracking 60- to 90- percent of the passwords on multiple passes through the file before selling the results and moving on. If your password is among the 10- or 20- percent that are the most resource-intensive for the hacker to crack, the probability that you will remain safe is high,\u201d says Zurawski. Extending password length is a simple policy change.\u00a0#10. Employ full disk encryption on company laptops.A fully encrypted laptop hard drive that requires a user password on boot up helps protect the enterprise against data theft and misuse when a laptop is lost or stolen. \u201cYou can achieve this kind of roll out in months,\u201d says Zurawski.