In today's climate preventing a security breach is at the top the agenda for many IT departments.

Due to a combination of high-profile incidents and bitter experience, security has made its way to the boardroom table.

Few staff within an organisation can remain unaware of the potential damage a breach of the IT systems can cause.

Much of the information contained within a company's networks is sensitive and highly confidential. Financial data, plans for future products or services and customer details need to be prevented from falling into the wrong hands.

Accordingly, most organisations have security policies, firewalls, antivirus software and real-time monitoring in place in an attempt to protect their data from outsiders and insiders alike, and there's little doubt that businesses are getting better at it.

But what if, despite all best efforts, the IT system comes under attack and security is breached?

In too many instances the company concerned will identify the exposed security hole, patch it up and hope, often in vain, that there are no more security holes to be exposed.

But although the 'identify-patch-hope' process solves the immediate problem, carrying out a thorough investigation is more likely to avert a repeat performance.

Organisations need to have a mechanism in place that allows them to analyse fully what happened prior to the actual security incident, as well as after it.

Real-time monitoring fulfils part of this function, in that it is capable of flagging prohibited or unusual usage, but only when that activity is actually in progress.

Similar to a burglar alarm, real-time monitoring will sound the alert once a suspected intruder has, for example, broken through a window.

What an alarm cannot do is provide information such as other windows that were tried and by whom; or, once in, what the intruder damaged or took.

That is the function of the security camera ... and when the worst happens businesses need to have the equivalent of one in place.

A security camera can provide a complete picture of the events leading up to a specific incident.

It also allows for the tracking of the intruder, showing precisely where they have been and what they have had access to over a period of time.

In essence, it is able to recreate the past in its entirety. For a company that has suffered a security attack, this type of information is essential to determine the scope of the breach.

To produce a complete picture, all the IT audit data, not just certain types, needs to be collected. What may appear to be irrelevant today may be the key to tracking an intruder tomorrow.

Moreover, because of the sheer volume of IT audit data, it cannot be amassed in real time. It is best collected in batches; for example, when network activity is at its lowest.

The data then needs to be consolidated, archived and finally analysed.

In addition to being used as a security postmortem, gathering comprehensive IT audit data can also help businesses take a proactive approach to thwarting security breaches by better adhering to and honing their security policies.

Many companies develop security policies that are well thought out but do not have an easy method for tracking compliance.

By consolidating, archiving and analysing IT audit data, companies can regularly check their compliance and ensure tighter security.

Even for those organisations that do everything they can to avoid falling victim to a security attack, it is impossible to guarantee that it will never happen.

It is therefore crucial for businesses to ensure that they are able to deal with the aftermath of a breach.

This means having the information and tools available to analyse exactly what happened, why it happened and how that information can be used to prevent further breaches.

Knowing your enemy is a useful tool, but having an in-depth understanding of their tactics and methods is even more effective when it comes to constructing your own defence.