Security managers don't like to talk about it, but one of the greatest threats to business computer systems, networks, and data isn't from hackers or competitors. It's from employees, partners, and other trusted insiders with authorized access to a company's networks, systems, and proprietary information.

"Too much attention has been focused on the outside threat," says Shannon Clyde, information security officer for Travis County, Texas. "I'm just as worried about 'Joan' in accounting making a naïve mistake and trashing financial spreadsheets or making information available where it shouldn't be."

Outside security threats have been overemphasized, says Clyde, information security officer for Travis County, Texas.

Many organizations have devoted much effort in recent years to beefing up defenses against external attacks. They've installed firewalls along the network perimeter to fend off intruders, application firewalls to protect Web applications, intrusion-detection systems to monitor for attacks emanating from the Internet, and antivirus software to protect servers and E-mail systems.

Protecting systems from insiders requires equal attention and a different approach. The foundation is developing and enforcing security policies that can prevent insiders--either through negligence or bad intent-- from damaging systems and data or opening holes that others can exploit. But because it's so difficult to design, implement, and enforce information-security polices, many companies don't create them. Or they're written and ignored until security problems crop up.

Security managers have tools to help them develop and enforce security policies, and vendors are enhancing those products to make it easier to automate the process. Clyde used Policy Operations Center from BindView Development Corp. to create a security policy for the county. He also uses BindView's BV-Control to monitor system configurations and settings to tell him how well those systems match the policies, and he's looking at new BindView products to help him push system configuration and setting changes out to devices on the network.

For example, a legal clerk may need high security settings and be monitored more closely than employees and systems that don't handle sensitive information or aren't involved with crucial networks. "This has to become part of the daily routine," Clyde says. "The days of security as an afterthought are over." Without such security technology, Clyde says he'd need a much larger staff to manually enforce policy settings. "It lets you centralize policy enforcement and establish appropriate settings on individual systems," he says.

But security pros like Clyde want more from these tools. They want to be able to embed security policies into business processes. They want real-time monitoring that sets off alarms when a policy is violated. They're also looking to better secure network "end points," such as desktops, notebooks, and handheld devices, so users can't inadvertently create back doors into important systems and databases. They also want to control the dissemination of intellectual property and confidential information better. And when something goes awry, they want an easier way to investigate and fix the breach than the tools available today allow.

Security breaches can be very costly to businesses. Some 41 companies said they lost $170.8 million last year from the theft of proprietary information, according to the 2002 CSI/FBI Computer Crime and Security Survey. That's up from $33.5 million in losses reported by 20 companies in 1998.

Security isn't cheap, but it can seem a bargain when compared with potential losses. The companies reporting thefts last year had losses of more than $4 million, on average. Software to automate security policies starts at $10,000 to $30,000, but it can cost much more depending on the size and complexity of the systems and applications involved.

Security vendors sense a growing opportunity. Those that develop tools to create, implement, test, and enforce information-security polices--some of which operate in real time--say they're adding features and capabilities to their software in the coming months. They also know that businesses are under new pressures to secure their systems and data by regulations such as the Health Insurance Portability and Accountability Act for health-care organizations and the Gramm-Leach-Bliley Act for financial firms.