Companies which sell IT security products often have a slightly distorted view of the threats to IT security. Those that market antivirus programs tend to think that scanning for viruses is more important than anything else. Yet those that sell firewalls usually tell you that a firewall is the most important part of an anti-hacker strategy.

Cutting through the marketing hype is not easy but is essential. Unless you understand just where attacks on your network can come from, you can't adequately protect it. A firewall is no protection against a sales executive having her laptop stolen from the car at a motorway service station. And even the world's best virus scanner won't prevent someone hacking your website and replacing all your staff mugshots with pictures stolen from www.playboy.com.

Only when you understand what hackers are capable of can you decide which techniques would cause you most damage or inconvenience. This will allow you to invest your money and time most efficiently to lessen the chances of being attacked and to minimise the damage that an attack would cause.

Let's start by debunking one myth. Not all hackers are after your confidential data to sell it or publish it on a website. Many people who break into systems using the internet simply want to beat the computer at its own game by finding a sneaky way in. Your private files offer little of interest to such intruders.

However, the stability of your system does. If they can crash it so that your own staff can't get in, that's good. Such action is known as a denial of service (DoS) attack and is often worryingly easy. Most company servers run on Windows NT or Unix and there are hundreds of bugs in these programs that can be exploited to crash the system. Microsoft published 100 security fixes for Windows last year, dozens of which were to prevent potential DoS loopholes. Read about them, and download the fixes, from www.microsoft.com/security. Failure to install the latest patches on your servers could expose your system to DoS attacks.

Not all hackers use technical expertise to penetrate IT defences. When staff leave your company, or are dismissed, it is crucial that you close off their access to the company system immediately, otherwise they can copy or sabotage files. I know people whose company accounts were still accessible three years after they'd left a job, thus allowing them continued access to their old documents through the internet.

A computer's first line of defence is its passwords. Just because you make a point of not writing them down and not choosing ones that can be easily guessed doesn't mean that they can't be discovered. Hackers often use social engineering techniques, such as telephoning staff and pretending to be a colleague or support worker who has a legitimate need to know a password. If the cover story is believable, the employee will be only too happy to divulge the password. One aspect of the internet makes social engineering easier than it ought to be. A Whois lookup on a company's domain name will provide the name and phone number of the employee who looks after it. So now the hacker knows who he should pretend to be when telephoning unsuspecting users.

Hackers love cracking passwords they can't even obtain by social engineering. Despite what Microsoft tells you, Windows NT passwords (even system administrator ones) are not uncrackable. Anyone who gains access to an NT server can retrieve a full list of users' passwords in just a few minutes. However, the list is encrypted.

Luckily for hackers, a program called L0phtCrack (www.L0pht.com) will decipher them using a technique known as a brute force attack. This is akin to reading a telephone directory from cover to cover to find out the name and address for someone whose phone number is already known. It can take many hours, or sometimes days, but is remarkably successful. Viruses and trojans are another area of vulnerability. Recent patches for Microsoft Outlook, the most popular email reader for Windows, make it much harder for users to inadvertently open attachments and release viruses. The successor to Windows 2000, codenamed Whistler, will improve on this still further. But the best form of defence is to prohibit your staff from sending or receiving email attachments.

Many companies configure their firewalls so that incoming attachments are deleted. The sender is then automatically emailed and asked to resend the attachment in a less dangerous form, or to send it to an IT support mailbox for checking before it is forwarded to the intended recipient. Software piracy is a favourite pastime of hackers, either to make money or to irritate software companies by spreading illegal copies of their goods. Pirates need places to store their wares, and the servers of unsuspecting companies are a favourite target. Make sure the access permissions are set correctly on your sites or you could find yourself in the same situation as an organisation of my acquaintance, whose servers filled up because they were being used as a repository for pirated DVD movies.

Finally, a painful reminder that there is much more to computer crime than firewall vendors would have you believe. Most hacks are not committed by outsiders through the internet, but by employees. And the most common reason for data loss is not a hack at all but accidents caused by a lack of IT skills. Both of which are, sadly, much more difficult to prevent.