"Clients should be put online with servers placed in armored, segregated areas separate from the network," he said.

This is necessary to keep the network simple by avoiding application clutter so patch updates happen immediately, he said.

Dorey, who is also UK chair of the Institute of Information Security Professionals (IISP), delivered the keynote address at the Australian IT Security Summit in Sydney last week.

"Most corporations say they have a four-day patch cycle but this should really be four minutes or four seconds," he said.

"Companies patch 85 percent of their network really well, but a real challenge is to get that last percentage of clients.