Computer security is a hot topic. Ask Barclays. Or Halifax. Or Egg. Or any other financial institution which has recently discovered the hazards of online banking.
Most such institutions probably suffer more from electronic intruders than they let on, but because they are wary of bad publicity it is only when customers' credit card details are plastered all over the site that the rest of us get to hear about it.
By definition, e-businesses have security problems. These arise from a logical connection between two simple propositions: to be in e- business, they have to be on the net; and if they are on the net they are vulnerable to online attack.
Some web companies have been almost criminally negligent about security, but most are now very concerned about it. They operate behind 'firewalls' - special servers which stand between their internal networks and the internet - and use strong encryption for confidential data. These prevent company employees from accessing a computer without a password.
Which is all very well but often useless because it ignores another simple fact, that a chain is only as strong as its weakest link. A chief executive who feels secure because his company operates behind a firewall and uses strong encryption is like a householder who fits unpickable locks on his front door and then declares that the house is safe from burglars, while at the same time failing to notice that all the windows are wide open.
I once ran a workshop for a group of software engineers employed on a big programming project at a nuclear installation. They told me of a competition they had run to see who could get into the site with the daftest imitation of a security pass. The guy who won flashed a box of John West sardines at a gatekeeper and was nodded past.
The weakest links in most companies' security chains are their employees. This is not because they are venal, but because busy humans find it irksome to adhere to the procedures required for maintaining security. Ideally, employees should change their passwords every two weeks or so. Most, however, cannot be bothered - and even when prompted usually choose another banal, easy-to-guess variation on the usual themes (name of spouse or child, car registration, telephone number, etc.)
Similarly, tight security dictates that users should keep their passwords secret. Yet I have lost count of the number of times I have passed someone's computer and noticed a Post-It note containing its user's password stuck to the side. And there was an interesting story recently about how discarded office computers are regularly disposed of without having their hard disks wiped of gigabytes of confidential and commercially sensitive data.
I was brooding about this when someone sent me a new book by Bruce Schneier,a leading expert on security. Years ago he wrote a book on applied cryptography. In it he described a 'mathematical utopia: algorithms that would keep your deepest secrets safe for millennia, protocols that could perform the most fantastical electronic interactions - unregulated gambling, undetectable authentication, anonymous cash - safely and securely'.
In a famous comment, he went on to say: 'It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics.'
Schneier's book had a tremendous impact in its day, persuading its readers 'that cryptography was a kind of magic security dust that they could sprinkle over their software and make it secure'.
No longer. 'The error of Applied Cryptography ,' says a rueful Schneier in the preface to his new book, 'is that I didn't talk at all about the context. I talked about cryptography as if it were The Answer. I was pretty naïve.'
Well, at least he's honest.
