Security threats come in different shapes and sizes and intrusions into company networks come from different entry points. The tried-and-tested traditional combination of firewall and antivirus software is no longer enough to protect organisations when attacks go beyond the network security level to zero in on applications and data files. Research firm International Data Corp estimates the security solutions market in the Asia-Pacific region will expand at a compound annual growth rate of 25.3 per cent in the next five years. Asian companies will be forking out US$4.1 billion by 2007 in their continuing bid to keep the wolves at bay. 'The first step to securing an enterprise network is to know your network infrastructure. Assess the vulnerability of the system from desktop and server to gateway. Look into operating systems, applications and passwords. Once you know what your vulnerabilities are, fix them and keep an eye on new vulnerabilities,' said David Sykes, North Asia regional director of Symantec Asia Pacific. Viruses, internet worms, spam and other intrusions are growing in frequency and sophistication. Also, with mobile connectivity increasingly available in enterprise networks and with the advent of new applications such as instant messaging and peer-to-peer software, information technology administrators are gaining a new set of headaches in enterprise security. Experts say a layered and unified approach is the answer. 'Blended security - including a state-of-the-art firewall, [virtual private networks], intrusion detection and prevention, anti-virus, anti-spam and content filtering - are all required,' said Network Box managing director Michael Gazeley. 'And all of these systems require updates which are delivered in real time. After all, even if you updated everything this time yesterday, you have probably been vulnerable for over 23 hours.' Mr Sykes added: 'By adopting a comprehensive, holistic strategy that addresses network security at the gateway, server and client tiers, companies may be able to reduce costs, improve manageability, enhance performance, tighten security and reduce the risk of exposure.' Indeed, a combination of security tools at different layers is necessary to root out weak points in the organisation. But for the security solutions to work and to be effective, companies also need to define policies that govern security configuration management, as well as identity and access control within their organisations. Moreover, IT security professionals must be more involved in the development of processes that support incident response. In an ideal world, a company would have both the financial and technical resources to take these approaches, resulting in extremely high network security, said Mr Gazeley. 'But most companies have neither the budget, the time nor in-house technical skills to properly secure their networks, which is why the most logical path is to outsource security to a firm of experts who can install, then remotely update and manage everything on their clients' behalf.'