In many offices, computers are treated casually, making it relatively easy for the unscrupulous to break in and steal data or funds. Use your organisation's password procedures to lock out e-intruders.

1. Establish a policy of changing all passwords quarterly, sooner if a problem employee is terminated or other e-trouble occurs.

2. Maintain an updated record of employee passwords. Prevent employees from locking you out of your own computer system.

3. Use your e-policy to notify staff that passwords are the property of the organisation, not the individual employee.

4. Instruct employees to store passwords in secure locations. It is not uncommon to find password lists taped to computer monitors or sitting in employees' unlocked desk drawers. Common carelessness like this negates the purpose of security.

5. Prohibit the use of passwords that reflect personal information, such as an employee's name, birth date, social security number, or child's name. Instruct employees to create passwords that combine numbers, punctuation marks, and uppercase and lowercase letters.

Restrict Computer Access.

While some organisations maintain tight physical security, controlling access to the building and monitoring movement throughout the facility, other companies exercise almost no control over visitors' activity. Likewise, effective e-risk management calls for the establishment of a few basic security measures.

1. Because it is tempting for co-workers, visitors, and hackers to walk up and use an open, online computer, instruct employees to shut off their computers if they plan to be away from their desks for more than an hour. If you prefer to automate, you can establish a password system at the workstation or network level. After a certain period of time, employees would have to use passwords to re-enter unattended computers.

2. Authorise the chief information officer to establish policies that restrict remote access to your computers.

Investigate Unusual Behaviour.

If you notice or suspect out-of-the-ordinary employee behaviour, have your information management people check it out. Systems professionals will know what you mean by "odd" behaviour, and they can do a search to see if the employee in question has been dialling into the network in the middle of the night, downloading a large number of files, or engaging otherwise in suspicious activity.

In addition to investigating isolated incidents, take steps to stifle employee urges to misbehave.

1. Conduct periodic reviews to ensure that employees are not attaching unauthorised storage devices to their computers.

2. Look for clues. If an employee brings a large, removable drive to work, find out what's up. Oversized removable drives are used to download really large files. Ignore the obvious and you may facilitate the theft of valuable company data by an employee who is going into business or joining a competitor. Similarly, if you see an employee walking in with a new box of floppy disks or the like, there may be a problem looming. An employee who wants to remove a lot of information in a hurry likely would bring in a removable storage device or a big stack of floppy diskettes. These devices usually work faster than an Internet transfer.

3. Conduct routine audits. It is a good idea to conduct random audits of user e-mail on an annual basis, if not more frequently. If your random review uncovers a problem, such as inappropriate language or extensive personal use of the system, you have the option of developing and enforcing stricter e-mail and Internet policies for the entire organisation or dealing directly with the individual offender.