I had a customer asked me when is network security sufficient? That’s a tough and broad question, I thought. I really didn’t have a direct easy answer to this. It really depends on what kind of business you are in, what kind of information you are trying to protect. Depending on the business, I’m pretty sure there are legal that you need to take into considerations, such as medical offices, health care, and hospitals needs to be hippa compliant. With that being said, I have a minimum that I like to set in place for most offices, then when we are done, we realize there needed to be more security. For most office, I would recommend a minimum of antivirus software on each pc/devices/server, etc. I also think most office will need some kind of firewall/router in place with some kind of way to manage threat from outside. Then of course, blocks as many ports as possible from outside and make sure everyone have super strong password with some kind of system in place to make sure password security is enforce. I also highly recommend locking up server room/network closets, etc. That would be my minimum recommendation. If you can afford to do more, then you should do more.