In the United States today, computer security standards are primarily determined by bankers and accountants. Many managers of Fortune 1,000 corporations have assumed that if a particular security approach is good enough for banking, it is appropriate, secure and "safe" for the corporate environment.
Nothing could be further from the truth. And is that surprising? Historically, bankers and accountants have not been in the forefront of computer technology.
Computer banking security in the United States is, at best, minimally acceptable for banking. In banking and accounting, embezzlement is usually the greatest perceived threat to computer security. Comprehensive control of the privileges of the users and detailed audit trails are reasonable security features to handle this threat.
An entirely different set of vulnerabilities exists in the corporate environment. Remember, it is your corporation's resources that are at risk, and you are not federally insured by the FDIC against loss. This distinction requires a different security philosophy as well as different technologies. WHO'S IN CHARGE?
In the corporate environment, those charged with the responsibility for maintaining corporate resources-CEOs, CFOs, boards of directors-often have very little technical understanding of the degree of vulnerability they may have with respect to computer security. They may incorrectly perceive that their worst threat comes from outsiders and hackers. If they really understood the potential liability and the potential risk to corporate assets and to their reputations, they might shut down all networks and computer centers.
Those charged with implementing computer technology, distributed systems and networks-primarily middle managers-are frequently overburdened, underbudgeted and often equally unaware of the real security …