'Undisciplined use of the internet and human error, whether intentional or otherwise, cause most of the problems,' said Hermann Chan, chief executive of Times Direct Asia, which specialises in managing customer data for clients.

'You can never claim to have 100 per cent security but, in most cases, more can be done.'

Mr Chan said many companies failed to encrypt data or establish adequate internal control procedures to comply with standards. Often, processes were not stringent enough to enable systems to be managed properly.

Usually, problems arise when businesses use the Net to give their various departments access to shared information. While this may be the cheapest and easiest way to exchange details for cross-selling or other purposes, it is also inherently risky.

'The protection of sensitive customer data should be given much higher priority,' Mr Chan said. 'Management should make the capital investment needed to upgrade and, if necessary, use outside expertise to provide safeguards.'

According to Matt Young, Asia-Pacific vice-president for Blue Coat Systems, many senior executives wrongly believe that a firewall provides adequate protection. Firewall technology blocks the front door but leaves the windows open for someone to get in.

'People realise that you can piggyback on the internet traffic to break into a system,' Mr Young said, adding that what was required was a 'proxy' which effectively surrounded the entire house, to use the same analogy.

A proxy stops viruses and spyware from getting in, prevents confidential data from getting leaked and enables tight but flexible control. The package includes hardware and software, and can be installed in 20 minutes. It allows multiple levels of access based on agreed criteria, blocks anything that is unauthorised, and monitors activities such as peer-to-peer file sharing and instant messaging.

The system works by routing all traffic via the proxy, and not through other network ports that are open to the Web.

'It sits next to a server or a similar appliance and, for implementation, you don't need to upgrade Microsoft or other products,' Mr Young said.

The proxy can authenticate by department, name or type of message, so that data sent by e-mail attachments, for example, can be stopped. The objective is to tie things closely to company policies on computer use and access. This makes it possible to set time limits and block access to certain websites. If a company wants to prevent staff from shopping or betting online, it can be done.

Blue Coat Systems is already working with about 6,000 customers in the US and Asia to improve their internal protection systems. Clients include banks, airlines, telecom operators, and small and medium-sized enterprises.

Mr Young said successful implementation required an understanding of the organisational and technical set-ups, and the company's requirements for compliance.

'Many IT directors don't know what is going on in their networks,' he said. 'They have insufficient visibility of their traffic.'

In addition, Mr Chan said systems were only as secure as the knowledge of the administrator or developer. There was still the chance that a hacker was one step ahead. Also, the technology adopted might be world-class, but proper maintenance and day-to-day vigilance were essential.

He emphasised that companies should avoid buying security products 'off the shelf' and, instead, get something tailored to their precise needs.

'The board's priority should be to realise that, if things go wrong, it could kill their business,' Mr Chan said.

According to him, companies should implement the relevant ISO standards. These ensure that correct procedures are in place, every change is logged and a systems audit is conducted at least once a year. ISO standards also ensure one of the key aspects of systems security: information held in databases is kept separate from internet connections.

'Then you are in a position to tell customers that their information is safe,' Mr Chan said.

'Organisations have to learn about systems security. Unfortunately, some still learn the hard way.'

PLAYING SAFE

Companies should make systems security a top priority and make the necessary investment.

A firewall does not offer full protection from viruses or unwanted data.

The recommended solution is to install a proxy which monitors all traffic.

It is possible to specify many different levels of authorisation to control usage and information flows effectively.