<EM>Business mentor</EM>: Many ways to beat ever-present threat to PCs

Q. Can you outline some of the risks small businesses or home PC users face by not having a pro-active security approach.

A. Computer threats are far more sophisticated today. PCs are being used increasingly for illegal activities and possibly managed by those involved with organised crime.

In many instances, you may not know for some time that your computer's security has been breached.

However, if you do discover your PC has been compromised, you are likely to find one of three things: your computer has had a keystroke logger installed which may be recording personal information such as identities and passwords to sites such as bank accounts; someone is using your PC to store files (often pornography); or your PC is being used to send out spam emails.

Q. How can you tell if your computer is being used for such purposes?

A. One of the most common symptoms is that the computer starts to slow or you notice a large amount of outgoing data on the internet connection.

Our advice is that people download a relatively new, free for download Microsoft utility that will regularly check for unwanted software and remove it automatically. This can be found at www.microsoft.com/spyware (link at the bottom of this page).

Q. What other risk factors do people need to be aware of?

A. A number of today's security risks are brought into an organisation by its people. Take USB memory sticks as one example. While they are useful in so many respects, they are a CIO's nightmare because they are so easy to carry, connect and use.

This coupled with their high storage capacity means people can download vast amounts of confidential information and walk out with it in a fast timeframe.

They're also great for uploading viruses.

Already, we are starting to see some organisations go to extreme lengths such as putting epoxy resin in the USB ports to prevent people from using them, in a bid to curb at least one security risk.

Another simple and small device that those with malicious intent can quickly install in organisations is a hardware keystroke logger, which connects between the keyboard and the PC and looks like it belongs among all the wires, dust and spiders at the back of a PC - a place many of us don't regularly check.

These devices can record millions of keystrokes - many days of typing - and they have been used for a diverse range of purposes such as stealing exam questions from teachers' PCs, logging bank account details and spying on individuals.

Q. Is Microsoft planning to make any changes to its technologies to help curb these practices?

A. At some stage in the future, there's little doubt that keyboards will have encryption built into them from the keys to the PC.

In Windows XP, there are already ways in which customers can disable USB memory keys. But these can be circumvented by the USB key manufacturer if they don't want their device to be "seen" by Windows XP as a memory device.

It's a fairly safe bet that future releases of Windows, including Longhorn, will improve on this and provide options for PC administrators to manage usage of these devices in a more granular fashion than they can today.

Unfortunately, security often comes back to the individual and one worrying statistic comes from a British survey done last year. When asked, more than 70 per cent of respondents said they would swap their password for a bar of chocolate.

No doubt there is a tongue-in-cheek aspect to this, but the results indicate that many people do not understand the importance of proper password management when it comes to security. Add to this the fact that too many people still use the same password for all their identities and log-ons and you have a situation where IT security can be easily compromised.

To help mitigate this risk, several organisations are introducing what is called two-factor authentication. You might enter a log-on ID and password as usual and then a one-time password is provided to you (and only you) to enter as a second password. It is likely that the future will see this sort of technology being broadly adopted for online banking, purchasing and interaction with government services.

Q. Are there other simple things that organisations could consider to minimise their security risks?

A. There is a simple three-step process that we constantly encourage people to follow and we find most risks can be avoided with it:

* Use an internet firewall.

* Sign up for computer updates.

* Use up-to-date anti-virus software.