An important and easy to implement best practice is to Require Secure Sessions. With Secure Sessions, all messages are encrypted in transit from the web browser to salesforce.com’s servers to protect your data.
Administrators can verify these settings: Setup>Manage Users>Profiles
Salesforce.com maintains a page of security best practices which includes this tip and more.