In an era when more and more intruders are coming after corporate data for profit, not just for fun, a layered approach to security is more important than ever. The approach must be built on sound policies that are effectively communicated throughout the organization and backed up with spending on the right controls, but not too much spending in any one area.

In a nutshell, that’s the philosophy that Intel’s internal IT group follows to protect the company’s own considerable corporate assets, according to Michael Sparks, senior security specialist with Intel’s Technology Information Risk & Security group.

Click to see: Intel's approach: Layered security

In his talk at the recent Network World IT Roadmap Conference & Expo in Santa Clara (Learn about our Dallas IT Roadmap slated for Sept. 6), and in a follow-up interview, Sparks warned that we are now facing third-generation cyber attacks. Whereas first-generation attacks were launched mainly by those looking for some measure of notoriety, the motive shifted in the mid-1990s with second-generation attacks that sought to bring down corporate computers. Today, the motive is financial gain and the target is data, whether personal data such as credit card numbers or corporate intellectual property, either of which can be sold for profit.

“If people are getting paid for it, they’re going to go where the money is,” Sparks says.

In his talk, Sparks described the current security climate as a “perfect storm,” in which threats – meaning people – continually try to exploit known vulnerabilities in computer systems. This combination represents a risk to business assets, including confidentiality and integrity of data, and loss of the data itself. So the business must implement some form of control to protect itself, such as antivirus software, an intrusion-detection system or encryption. No sooner is one control implemented than a new vulnerability crops up, starting the cycle all over.

The regulatory climate adds to business risk, because public companies such as Intel must comply with the Sarbanes-Oxley Act as well as California’s database breach disclosure law. Such regulations can pull security budget dollars away from areas that the company may want to protect by forcing them to instead spend money on areas they are legally bound to protect, Sparks says.