CFqueryparam is a good fist step, though you should note that it will not protect some queries. For example if you have a sort by or order by that is dynamic, cfqueryparam wont help in that case. You will need to review data and validate for that.
You should also be checking for XSS vulnarabilities.
The blog above has a great number of CF sercurity related posts.
Pete Freitag has a nice security scanner that will look at your CF server and highlight any missing patches and some other issues
There are some open source projects that will also filter out common sql injection and xss attacks on a code level.
Finally there are several conferences in the CF world coming up, and all surely have some security sessions. You may want to attend.
Thanks for the information. What about changing table names and variables? Is that helpful or we wasting our time?
I would say mostly a waste of time.
As far as I know, most SQL injection attacks are about getting the database to work against itself. So the attacker needs little or no knowledge of the database schema.
cfqueryparam is by far the most important precaution. Make sure you use it everywhere, not just in the WHERE but also in the VALUES of an insert or the SET of an update.
Afer that the most important thing to do is database permissions. Make sure your application runs with the least privileges possible. If your application doesn't use stored procedures, remove their permissions. Make sure the account that is used from CF only has SELECT, INSERT, UPDATE and DELETE privileges, and can't CREATE or DROP. If you have a site with a dedicated admin area, try setting up two datasources using different accounts. A read-only account for the public website, a read-write account for the admin area. Etc.
First, relying on cfqueyparam for security issues means that you might have disregarded one of those "best practices" - validate user input before you use it.
Regarding database permissions, I agree with your general idea. Regarding details, I think they depend on the situation.