Security is one of the most dynamic issues in all of computing. Just because a system is secure today, doesn't mean that the system will be secure tomorrow. New exploits are constantly being discovered, and it's important that you secure your network against those exploits as they are made known.
I have known a lot of administrators who take a "set it and forget it" approach to network security. They do their best to make sure that a system is secure, test the security, and then never touch the security again. It isn't that these administrators are lazy (well, maybe a few of them are), it's that being a network administrator is an extremely demanding job. If someone isn't screaming at you to get a project done, then that project will almost take a back seat to higher priority projects. At the end of the day, there just isn't time to monkey around with improving security unless upper management makes security one of the highest priorities.
Microsoft has done a lot to help overworked administrators to maintain a secure environment. Utilities like the System Update Service and Windows Update allow security patches to be automatically downloaded and installed. This insures that all of the servers and workstations are kept up to date with all of the latest security patches.
Unfortunately, automatically downloading and installing security patches does not guarantee a secure system. It simply makes those administrators who are forced to use the set- it-and-forget-it technique less vulnerable to a security breach. Fortunately, there are some things that you can do to make your organization more secure, even if you are too strapped for time to take a really hands on approach to security.
Obviously, I would be extremely negligent in my duties as a technology author if I didn't tell you that you should examine your security logs and look for ways to enhance your network's security every single day. Having said that, I am realistic enough to admit that many companies lack the resources to administer security in such granular detail. If you are the type who never touches security because you simply don't have time, then I recommend following my six month plan.
The nice part of this plan is that you only have to address security once every six months. Again, this isn't ideal, but it's infinitely better then never doing any security work at all. With my six month plan, there are three things that you need to do every six months; reexamine your corporate security philosophy, check your network for known weaknesses, and attend a security training event.
Re-examine security philosophy
Re-examining the corporate security philosophy on a periodic basis is an important, yet commonly overlooked step. The idea is that you must determine if your security policy still matches well with the corporation's needs and culture.
A good, but rather extreme example of this is a place where I used to work. During my first few days on the job, I was told in no uncertain terms that the company didn't believe in cyber security (remember, this was the early 1990s). The users weren't assigned passwords and the servers were kept in an unlocked closet.
Although this was my first network administration job, I knew enough about networks to know that this total lack of security was very unusual. When I asked why security was so lax, I was told that the company was small (less than a hundred employees) and that the president of the company believed that strict security rules, passwords, locked doors, and things like that took away from the casual atmosphere that he wanted to create.
A few years went by and the company grew to well over a thousand employees. One day, there was a change in management. The new manager absolutely blew a gasket when he realized that there was basically no security on such a big network.
If this organization had stopped to re-evaluate the security philosophy a couple of times a year, then there surely would have come a point when someone would have said, "this network is starting to get pretty big, maybe we should start thinking about adding some security." Better security could have then been implemented before the lack of security became a huge problem.