So how paranoid do you have to be to protect your company’s information? That depends entirely on your company, the potential cost of losing data, and the security policies your company adopts. Typical American businesses might not need to worry about intruders tapping into their network cables, but many government organizations worry about precisely that. Most companies might not need to worry about someone reprogramming hubs and switches to eavesdrop on network traffic, although large financial institutions, with their increased liability for compromised information, take extra steps to protect their hubs and switches. Some organizations, such as companies in the health care industry, are required by law to provide security measures for certain types of data. Physical security can be expensive; the level of physical security you implement will depend upon your organization’s needs and requirements.

As I mentioned earlier, simply knowing about your security vulnerabilities—even if you choose to do nothing about them—is half the battle. Once you know what your vulnerabilities are, you and your company’s managers can look at the cost of fixing those vulnerabilities and decide what’s right for your company.

As with all security implementations, the measures you take to mitigate vulnerabilities depend on your particular situation. There is no one-size-fits-all security strategy. For example, an airline may value its reservations database above all other assets, ...