A program for protection of proprietary information must be active and supported by all employees, including regular, temporary, and contract employees, who create, handle, or in any way have access to such information. A balanced program includes three elements: prevention, detection, and recovery. Companies must safeguard the hardware, software, and proprietary data against damage, alteration, theft, fraudulent manipulation, unauthorized access and disclosure, and denial of use. Financial records should receive the most careful treatment. Security managers should also recognize that computer hackers have more resources for attack than corporations have to repel attackers. Computer systems that are the most vulnerable to abuse have one or more of the following characteristics: inadequate password management, improper access and usage controls, networking vulnerabilities, improper management of backup files, inadequate protection of sensitive data, lack of security awareness by users, and inadequate use of technology. Countermeasures should be based on a security survey and should use layers consisting of physical countermeasures, administrative countermeasures, personnel subsystems countermeasures, and computer system countermeasures. Corporations should also plan for the possibility of a disaster that prevents a company from using its computer equipment. They should also recognize the specific responsibilities of employees, originators or owners of data, and suppliers of services and ensure that these responsibilities are met.