There has been much emphasis in recent years on anti-virus protection but some experts believe that although it is important, it can miss the point. Last month Jay Heiser, an analyst at research firm Gartner, wrote a report on what he called 'Data Leakage'. He said loss of data was often not due to theft but other factors. 'In civilian governments and the corporate world users just don't have the expertise to classify all the sensitivity of the information they use. As a result, they send huge amounts of inappropriate e-mails, and store highly sensitive data on laptops and memory sticks, ignorant of the risk it represents to their employers,' he said. Protecting corporate data is more than simply preventing the villains from getting into your network. It also means making sure your own employees don't give out secrets, intentionally or otherwise. Thomas Parenty runs his own security consulting company, Parenty Consulting, in Hong Kong. He has years of experience in the United States where he worked on sensitive projects such as nuclear command and control systems. He said external threats should be prevented, but were rarely the most significant. 'When considering how to protect corporate computer networks from attack it is important to understand what types of threats a particular security measure protects you from. Anti-virus solutions, for example, protect against external attacks. The most costly types of computer crime involving large-scale financial fraud and intellectual property theft, however, are almost always perpetrated by someone inside the organisation. 'While a valuable component of information security preparedness, anti-virus solutions do nothing to protect against these internal attacks,' he said. One way to avoid the malware problem is to not use the internet at all. Robert Soden is the regional director for Asia at Authentify, a US-based company that uses the telephone network and voice recognition to allow people to access banking and other services. 'To do security on the internet you actually have to get off the internet. That's why we highly recommend the use of a second channel which should be out-of-band - in other words a telephone call.' Mr Soden said one of the advantages of this kind of system was that you did not leave passwords on PCs that could be lost or stolen. Richard Kershaw, vice-president of business intelligence and integrity risk practice at security firm Hill & Associates, said compliance was playing a greater role these days in the design of security systems. 'Recent corporate information security focus has been driven by what lawmakers are forcing companies to care about, which is how authorised users - insiders - access and utilise information.' Mr Kershaw said Asia was a challenging market in this regard. 'Many multinational corporations face compliance requirements from the US and Europe, data protection requirements by jurisdiction in Asia-Pacific, and the credit card industry's Data Security Standard, which is also impacting compliance programmes in Asia. 'Anti-malware has its place, but is a baseline tool to protect against code from the outside. Information security is increasingly concerned with usage on the inside,' he said. No IT security expert would deny the importance of the kind of protection an anti-virus company can provide, but many would say it is only a small part of a total system. An unhappy employee is in a far greater position to wreak havoc on a company than a teenager in in his parents' basement. But a good security policy should prevent both from hurting your company.