The majority of small- and medium-sized businesses and almost all home users find using such tools too expensive and complicated to implement, so a very high percentage of computer users remains seriously exposed.
But it is amazing what gains in security can be achieved virtually free of charge by simply tightening up on the way we manage our computer systems.
The real basic goals of information security are
- Non-repudiation. Accomplishing these is a management issue before it's a technical one, as they are essentially business objectives.
Confidentiality is about controlling access to files either in storage or in transit. This requires systems configuration or products (a technical job). But the critical definition of the parameters (who should be able to access what) is a business-related process.
Ensuring integrity is a matter of version control - making sure only the right people can change documents. It also requires an audit trail of the changes, and a fallback position in case changes prove detrimental. This meshes with non-repudiation (the change record must include who as well as what and when).
Availability is the Cinderella of information security as it is rarely discussed. But however safe from hackers your information is, it is no use if you can't get at it when you need to. So you need to think about data back-ups, bandwidth and standby facilities, which many people still leave out of their security planning.
Over the next few months I will be using this column in Computer Weekly to describe a range of ways to increase security by good housekeeping without spending lots of money.
Mike Barwise is an independent security consultant at Computer Security Awareness
This was first published in April 2002