INSUBCONTINENT EXCLUSIVE:
Image copyrightGetty ImagesImage caption
Are you guilty of poor cyber-security habits
Humans are often
the weakest link in the chain when it comes to computer security
So how can we stop doing silly things that play into the hands of cyber criminalsWhen you ring IT support, you know the geek on the other
end of the line thinks you're an idiot
It's the heavy sigh and patronising tone that give it away.In fact, they have an acronym for us - PEBKAC
It stands for Problem Exists Between Keyboard And Chair
That's you and me.And before you get on your high horse full of indignation, ask yourself: when did I last back up my data How many online
accounts do I use the same password for How many times have I clicked on a link in an email without really knowing who sent itEvery year
we're reminded how dumb we are when it comes to choosing passwords.These range from the obviously bad "123456" and "password", to the only
marginally improved "12345678" and "admin"
Other popular ones, according to a list drawn up from those found in breaches, are "letmein", "iloveyou", "welcome" and "monkey".Image
copyrightGetty ImagesImage caption
Admit it, you've often written down your password in a place anyone could see it,
haven't you
With passwords like these, a child of two could probably break in to your account after bashing on the keyboard
with a toy hammer for a few hours
The fact is we're lazy."A lot of people forget their password and then just use the temporary password the IT department gave them," says
Thomas Pedersen from OneLogin, an identity and access management company."The problem is that these temporary passwords can sometimes last a
month."So in a large organisation, there are potentially hundreds of people using the same password."This makes them vulnerable to a
password scrape attack - taking the most common passwords and trying them on millions of accounts," says Mr Pedersen
"The hackers will get a hit every 5,000 to 6,000 times." Once inside the system, the hackers can cause havoc
Use as long a password as you can cope with - at least more than eight characters Mix upper case and lower case characters with symbols and
numbersTry not to use easily guessable words - the names of your children, spouse, pets, favourite sports teams and so onAvoid sharing
passwords with other peopleUse different passwords for different sites and servicesUse two-factor authenticationConsider using a password
manager such as Dashlane, Sticky Password or RoboformThe UK's National Cyber Security Centre has also published lots of advice about
choosing and using good passwordsMajor data breaches are becoming almost weekly occurrences, with Facebook, Cathay Pacific, British Airways,
Reddit, Wonga, and Dixons Carphone joining a long list of corporate victims in recent months.Two-factor authentication - using your
smartphone or a separate dongle to provide an extra layer of security on top of your main log-in details - is becoming more common,
especially using biometrics such as voice, fingerprint, and facial recognition.But these are less suited to the corporate environment
because desktops don't usually come with fingerprint readers or video cameras built in, Mr Pedersen points out.We're also pretty dumb when
it comes to clicking on links and downloading content we shouldn't, says Ian Pratt, co-founder of cyber-security firm Bromium
A lot of these links are loaded with malware - programs designed to burrow though corporate security systems, steal data or even take remote
"More than 99% of [malicious links] are run-of-the-mill criminal malware that are not targeted," he says
"That malware is trying to spread pretty aggressively, but they do not use any clever tricks."The simple stuff works.Image copyrightGetty
ImagesImage caption
Many cyber-attacks were successful because we clicked on something we shouldn't have
"More than 70% of the breaches that we hear about have started on a PC with some hapless user clicking on something that lets attackers get
on to the network," says Mr Pratt.And hard-pressed IT departments have had their lives made even more difficult in recent years by the surge
in mobile phones, laptops and tablets we use for work as well as for private purposes
So, many large firms are focusing on making the desktop PC idiot-proof.Bromium's tech works by isolating each and every action that takes
place on a PC - sandboxing to use the jargon."Almost every task performed effectively gets its own computer," explains Mr Pratt
"As soon as you finish that task we effectively throw that laptop away and get out a new one."This means that if you click on a malicious
link, the malware is isolated and can't escape to infect the rest of the network.Image copyrightGetty ImagesImage caption
Would face recognition and other biometrics improve security in the workplace
But keeping an eye on what we're doing across
a sprawling IT network is very hard, says Paul Farrington, a former chief technology officer for Barclays and now a consultant at security
firm Veracode.Large organisations being clueless about the extent and reach of their IT assets is "very common", he says.A project Veracode
carried out for one high street bank discovered 1,800 websites the organisation had not logged
"Their perimeter can be 50% larger than they originally thought it was," says Mr Farrington.And this ignorance can also extend to the number
of computers - or "endpoints", in the jargon - sitting on a corporate network, says Nathan Dornbrook, founder and head of security firm
ECS.One of his clients has more than 400,000 machines to manage, and several other customers have similar numbers."The machines could
contain substantial amounts of information and customer data, passwords to internal systems, and all sorts of bits and pieces in the easy
single sign-on applications that cache credentials locally," he says.In other words, just one of these PCs could be an Aladdin's cave to a
hacker."If one attack gets inside," says Mr Dornbrook, "you lose the whole enterprise."More Technology of BusinessSo given that we're
PEBKACs and IT departments are overloaded, automated systems are becoming increasingly necessary, cyber-security experts say.For example,
ECS uses the Tachyon tool from security firm 1E to help monitor millions of PCs and keep them updated with the latest software patches and
security updates."Otherwise you just don't have time to react," says Mr Dornbrook.Many other cyber-security companies are moving from a
firewall approach to automated real-time traffic monitoring, looking for strange behaviour on the network.But it would certainly help if we
all didn't behave like PEBKACs at work and casually give away the keys to the kingdom.Follow Technology of Business editor Matthew Wall on
