Jay Heiser, chief analyst at TruSecure, told ZDNet UK that most unauthorised access occurs inside an organisation because users leave their desktops unattended and unprotected.

“When someone sits down at a logged-in terminal they are able to rifle through that user’s files and send or read their email. Screen-locking – activating a password-protected screensaver – is one of the most effective things you can do internally,” he said.

Heiser said that when users are given long and complicated passwords, they are more likely to write them down. “They are going to write them down on Post-it notes next to their monitor or stick them under the keyboard,” he said.

Research has found that companies are hit hard in the pocket when their employees forget their passwords and call the corporate helpdesk. Earlier this year, analyst group Meta calculated that each of these calls costs the company approximately $25.

According to Heiser, regardless of whether passwords are complex or simple, there are lots of tools available on the web that can crack them. A better policy is to use a hardware device, such as a token or smartcard to reinforce access rights.

He said: “You always know if your hardware has been stolen but you don’t know if your password has been stolen.”

Heiser also dismissed the practice of updating anti-virus signatures every day because it is a reactive action rather than a proactive one.

“There is not a huge difference in updating anti-virus signatures on a daily basis and on a monthly basis. Antivirus software is a band-aid – it isn’t worth spending large amounts of time and effort optimising it because there are other ways to reduce risk for a lower cost,” he said.

http://www.silicon.com/news/500013/1/6260.html