The story—perhaps apocryphal but told in the sedate Smithsonian magazine—is that bank officials confronted the thief in a restaurant over breakfast.

He coolly confessed. If they tried to jail him, why he’d blow the whistle on the bank’s vulnerable computer system. And it would cost more than $8 million to fix.

So the bank officials just asked him to step down quietly.

Leaving the table, the crook smiled.

“I’ll keep the eight million,” he said, “but I’ll pick up the tab for breakfast.”

Definitely, then, Donn Parker was on target when he once called computer security “first and last a people problem.”

People and Policies: Working with the Right Ones

Honest, loyal employees are more important than the latest security gizmos. Use common sense. Beware of the $26,000-a-year programmer who suddenly acquires a posh home and a sports-car collection. Don’t pry. But don’t shut your eyes, either.

Start with a sensible hiring policy. Decide on the questions you want to ask applicants and their references—about the prospective employees’ backgrounds and characters. Then bounce them off your legal department. The rule of thumb is that you won’t get in trouble if the questions are related to the job. IBM has said it doesn’t even ask applicants about their ages or marital statuses. If there aren’t legal obstacles, you might invest $25 in a credit-bureau check of a keypunch clerk but perhaps several hundred dollars for a top programmer. Keep in mind the notorious lack of reliability of many reporting services. Check for criminal records when hiring for responsible positions. A Maryland hospital didn’t. It hired a convicted embezzler, a computer operator who later diddled $40,000 out of the system.

Granted, there are occasions when you might knowingly hire an ex-con to give him a chance. But ask the normal questions. What’s he done to justify your trust since his sentencing? What are your risks? How much could he steal, and how?