"Complacency is easily the biggest problem in corporate computer security today," says Michael Gazelely, the chairman of Network Box, a Hong Kong-based company that sells network security solutions worldwide.

"If management does not clearly identify security as a priority," he continues, "the IT manager is not likely to make it one of his priorities either. It then becomes a 'time-bomb' which can go off at any moment. In the world today, the Internet gateway is a primary business interface, yet despite these soaring levels of Internet use - especially for commercial transactions - the level of care, attention, and reporting on security matters within most companies is almost non-existent," he says.

Gazeley puts much of the blame for this situation on the shoulders of the media. Far too often, he says, the media will get excited about a single virus or worm on the Internet, or a high-profile hacker attack, and then roll out the old clichés about keeping your anti-virus software up to date - and that's as far as it goes. They do not look at the underlying problems in any meaningful way; nor do they look at a bigger picture of the situation; nor do they adequately emphasize to the business community or the public the serious consequences of not being properly protected. "Protection needs to be comprehensive, properly configured, fully updated in real-time, expertly managed and carefully monitored," he adds.

The enemy within

Although security experts agree that the threats posed by hackers, viruses and worms are a major concern for any business, most feel that other threats, seemingly more mundane but with the potential to be even more damaging, are being unwisely neglected. To strengthen their arguments they have begun to emphasize two major types of risk: external and internal. There are obviously threats from outside the company, but there can also be serious threats from within.

"Threats are everywhere," says Thomas Parenty, who has been in the security business for over 20 years, and is mainly concerned with what happens "inside the firewall" - that is, the security risk a company faces from its own staff.

"But the weakest link in a corporate security network is the link that is forgotten," he continues. "The saying 'out of sight, out of mind' definitely applies here. When we concentrate so much on one thing - anti-virus, for example, which gets a lot of media attention - we tend to miss a host of other problems. Few companies perform any kind of security audit that would find vulnerabilities. Instead, most seem happy to do nothing about internal security until they are actually attacked, and then it is often too late."

Parenty stresses the need for complete solutions that take into account both types of threat. Without that comprehensive approach, the amount spent on security won't necessarily provide the required results - and companies with multi-million-dollar budgets are just as likely to "get it wrong" as smaller ones. He cites the example of one company that did almost everything right, and then sent all its most important data to India un-encrypted to be handled by another company it hardly knew. It came back un-encrypted as well. "They were just lucky that nobody made a copy while everything was so vulnerable," he says. "Though of course somebody may have done just that and no one knows about it yet."

The comprehensive plan

Security experts also emphasize that not only should security systems take into account the two main types of risk, security should be an integral part of the planning of any computer set-up or system, large or small.

"Security should be built into a system from the beginning, not added on later," says Welland Chu, the Asian Regional Business Manager for Thales E-Security, an Anglo-French technology company that specialises in security for both civil and military customers.

"By using a comprehensive approach that incorporates both technological and human factors," he continues, "an organisation can effectively protect itself from both the outside threats and the threat posed by the disaffected insider. Security safeguard measures should be incorporated into the IT systems with full accountability maintained and logged from network level right down to the individual level," he said.

"Design of the security system is also vital," Chu continues. "A good security design means user interference will be kept minimal so that normal business operations are not impacted. Computer security consultants can help companies plan and deploy comprehensive systems that fit in with their day-to-day business operations yet offer high security that mitigates the various risks," Chu said.

The security conundrum

Whereas the concept of combining ease of use with maximum security is the ideal, achieving it is not so simple - especially when financial transactions are involved. Every newspaper story of Internet fraud, online credit card scams and successful hacker attacks creates a demand for stronger protection - even if that does mean the end user must endure a little more inconvenience. Both online vendors and buyers seem willing to accept this. Some of the most effective new technologies being developed don't quite fit into a minimalist, business-and-user-friendly model - but they offer appealing end results.

Authentify, a US company specializing in computer security systems, recently won a number of awards for security solutions for online financial transactions, and these give a good indication of current thinking and possible developments in the near future. Authentify uses a number of technologies, including voice recognition and a secure "call back" system using a telephone number the payee provides at the time of the transaction.

"We offer a multi-factor authentication solution," says Robert Soden, the Managing Director for Authentify in Asia Pacific. "There are three elements to identifying someone securely," he says, "and by employing these three elements we can offer a very high level of security in any transaction. First there must be 'something you know', namely your user account information. Then there is 'something you have', the ability to answer a specific telephone number that only you provide. Then there's 'something you are' and for this we use voice biometrics. If any one of these three can't be suitably confirmed, the transaction doesn't go through."

The human factor

No doubt internal security issues will also increasingly use multi-factor access protection, but others still seek simpler solutions - or just a broader approach to the problem. Paul Bonny, Vice President and International Security Leader for the Security Services Department of Wachovia Bank, believes the staff themselves are the key. Although he doesn't deny the usefulness of cameras, guards, and new technology, he believes it ultimately comes down to creating an environment of trust within a company.

"People are resourceful," he says, "and anyone with the wrong intentions will always be looking for ways to get round whatever technology or system you may deploy to watch them. If they are resourceful and creative, they can get round most anything," he said.

But most internal theft and fraud, he says, is not discovered by auditors or even the police: it is discovered and revealed by colleagues.

"If you create a family of policies," he says "including a code of conduct - and do not assume everybody 'knows' what to do - you stand a better chance of eliminating crime. It is also important to protect whistle-blowers - and also important to have a system in place that allows you to be quite careful about checking on the reports you may get from them as well. After all, not every whistle-blower is honest himself."

As IT usage and e-commerce develops, and computer crimes become more prevalent, security will continue to be a major concern, an integral part of business and a constantly evolving field. The security systems developers keep coming up with better products and methods, but right now it seems it is up to the end-users in the business world to do more. IT security should now be a major concern and an ongoing part of every business.