After doing my best to destroy your faith in data encryption in an earlier column , it’s only fair to mention that encryption is an important technology; it just isn’t sufficient for critical data with a long life.

And that’s the whole point. No single security measure is completely effective. Thus, you need to develop a layered defense, not just from a security standpoint but also from a cost perspective.

How should layers work?
What makes adequate security possible at all is the ability to apply different layers of security to different data. The least sensitive or most time-sensitive data needs the least protection. Data that should never be known by anyone but a few top management members doesn’t belong on any computer. In between these two extremes is a vast array of data with different protection requirements.

Although a computer security specialist can design layers of security, someone else must decide just how secure the various kinds of data need to be. That means management must develop a policy so the IT staff knows how much time and money they should expend on securing certain classes of data.

Basic categories must be defined for things such as trade secrets, client lists, payroll accounting, memos kept only on a local server, Internet e-mail, budget projections, and so on. There must also be a procedure in place to initiate ongoing analysis of new data types.

While management might balk at the idea, it’s impossible to provide the highest level of security for all data, except in the smallest businesses. Likewise, it’s foolish to ignore all need for security and depend entirely on the kindness of strangers for your protection.

Because security costs money and makes data more difficult for everyone to access, deciding how much protection a particular kind of data requires is not a trivial exercise. To decide which security level is appropriate for a data class, management needs to know the approximate costs of the various levels of security, as well as how important the information is and the life span of that importance.

Will a particular kind of data require different levels of security at different stages of its life? If so, is there a way to reduce or remove protection in stages, making the data more widely available and thus potentially more useful?

For example, a new product concept is highly confidential at first, but as more people in the company need to work with it, access to data must be made easier. After the project is dropped or the product brought to market, the same data may require little or no security.

The government tends to classify everything as top secret and tries to keep things classified forever, but that’s not practical for a business. It’s not really practical even for the feds.

What tools are at your disposal?
So what tools can you use to build your defense layers? Layered security options include:

  • Physical security for terminals, cabling, and backup data
  • Encryption
  • Password management
  • Firewalls
  • Detection and reporting of intrusion attempts
  • Ongoing maintenance of OS and applications with an eye to newly revealed flaws or bugs
  • Antivirus software and policies

If you have to protect a variety of data types at different security levels, the best way is to develop layered protection that can be applied in stages to different files. Even within each category there are different stages of protection. For example, you can use light encryption for some data and rely upon the best encryption available only for critical files.

Even something as basic as antivirus protection has many layers, starting with simple programs that prevent changes to files, through inexpensive antivirus programs updated monthly, to programs that are updated daily, to a non-networked PC with no modem and no removable media drive.

Computer security must be viewed as a spectrum ranging from weak to highly secure, and in most cases, each business needs to have more than one level of protection available so it can be applied wherever and whenever necessary. Of course, network and system administrators will require input from IT managers and CIOs to ensure data receives the appropriate classification.

Hey, if it were simple we could just leave security issues entirely to the computers. But then, how would we make a living?

John McCormick is a consultant and writer (five books and 14,000-plus articles and columns) who has been working with computers for more than 35 years.

Have a comment?

If you’d like to share your opinion, please post a comment below.