If you have a server or device that is internet facing, make sure you have a real, commercial SSL certificate on it. Do not use a self-signed certificate. I don't really care that it is just for "internal" use and you are smart enough to bypass the untrusted warning.
It is a matter of security and making sure that you don't have any areas of weakness. I want you to examine your eternal network for possible SSL weaknesses. Look for:
- VPN connections
- Web pages (they should be https: port 443 vs. port 80 http:) and have a valid commercial SSL.
- Remote access servers
- Security cameras
Nothing should touch the internet from your network (hopefully from your DMZ) that doesn't have a commercial SSL certificate attached.
If you need help sorting this out, let us know.