It always surprises me when very smart people, who can configure complicated networks, refuse to test that network against threats from attacks within and outside of the organization.
They will throw up the Cisco, Sonicwall, Watchguard or Barracuda firewall to protect their general networks- servers, storage, switches. Then they will add more granular protection, end point protection such as Symantec Total Protection, CA, Trend Micro, McAfee, Kaspersky, AVG, Eset...there is a plethora of chocies when it somes to end point protection.
Each one, of course, will tell you that they are: the best in class, best of breed, the smartest, the fastest, real time, heuristic, reputation based, zero day protection, total protection, extreme defence, 98%, 99%, 100% effective against any and all attacks- anti-virus, anti-spam, anti-malware, anti-trojan, anti-webbot, browser hijacker, anti-DOS attacks...just the safest thing since chastity was under attack.
What boggles my mind is that so many IT Professionals believe what they are told by these security companies and never actually hire someone to actually check their network security. When they get a virus, or are attacked, they are shocked! Shocked that someone could actually outsmart their maginot line of tech products to guard against this very thing.
Case in point, Facebook, and Twitter. These are smart people with deep pockets and yet the only time they seem to realize their networks are vulnerable is when they go down after an attack.
As an IT solutions and services specialist, I suggest yearly penetration tests (PEN Tests) at a bare minimum, though monthly or bi-monthly would be my recommendation. And not a test where your internal resources who would hesitate to embarass you by pointing out a whole in your defence for fear of being fired, but use an outside IT company such as Sarcom to do the testing both inside and outside of your walls.
Start with the outside, tell them only what they need to know to identify that it will be your network they are testing and let them see where, if any, vulnerabilities exist. This "Black" PEN testing will give you a real world hacker eyeview of where you may have areas in your networks that can be exploited.
Have a second firm test inside of your walls, maybe Ligatt Security or some other testing firm. Let them know how many ports and see if an internal disgruntled employee can wreak havoc from within.
Be smart and protect yourself. A lot of money is spent to make you think your network is safe, why not put it to the test to prove that it is safe?