What do You need to know?
The absence of a recognized loss due to a computer security failure may help you feel that your computers are comfortably secure. Making your computers secure may, in fact, be very disturbing. When computers are made secure, a common result is the discovery of losses that had been taking place undetected. One company discovered that its email was being routed through a server at one of its competitors. Every business plan, inventory report, and new order had been visible to this company's most significant competitor, and there was no way to know how long it had been going on or who did it. This loss occurred because security had not previously been in place.
Security does not just detect outside hackers. The majority of computer-related losses are caused by insiders, sometimes with malice but often through misunderstandings. When we talk about protecting the confidentiality, integrity, and availability of the information stored in our computers, we do not discriminate between outsiders and insiders. Making an erroneous change to the information needs to be stopped, no matter who is trying to do it. We cannot use technology to force people to type numbers correctly, but we can at least assure that anyone able to type numbers in is fully authorized (and presumably trained).
The majority of computer-related losses are caused by insiders, sometimes with malice but often through misunderstandings.
Companies that focus on protection from outsiders are making a serious error in their security strategy. The most common form of serious attack by an outsider is to pose as an employee. By guessing or stealing an account name and password for any employee, the attacker becomes, to all appearances, just another employee. Security is effective only if it provides oversight of all activities, whether by an outsider or by the most trusted employee of the company.
So how can you know that your computers are secure? Remember that security is relative. There is really not a condition that is totally secure. There are levels of security. So the correct question to ask is, How secure are we? The best answer is "as secure as (or slightly more secure than) other companies like ourselves." Unfortunately, interpreting this answer requires that you know how secure your competitors are.
Most companies treat their security posture as a competitive advantage (or disadvantage) and are reticent to discuss it. That leaves most of us at the mercy of third parties to evaluate our security and decide whether it is sufficient. Many of those third parties are consulting companies that make their money by making the computers more secure, so, surprisingly, they infrequently find that computers are sufficiently protected. Large companies try to use more independent means of finding the right levels of security and get involved in user groups or use technical analyst firms, such as META Group or Burton Group, that have no expectation of profit from setting the bar too high.1