Just as everyone knows that using your date of birth as your ATM pin code is definitely not a good idea, anyone who uses passwords to hide confidential information on a computer knows that "za8goOsh" is a better choice than "password". Or "secret". Or "ireland", writes Robin O'Brien Lynch

Despite this, sloppiness is widespread in the business community when it comes to protecting information. Whole offices have "dublin" as the log-in code for every computer in the building. Senior executives stick a Post-it with their password under the keyboard.

Individual email accounts are open to all users, even temps or students on placement.

According to Mr Giles Fitzgerald, who has worked as IT administrator for several multinationals, a casual attitude to security has grown up amongst generations of workers.

"Over the last decade, people have come into the workforce accepting that a PC at every desk is standard, and internet usage has become saturated in the business market," he says.

"Proper security is seen as tiresome and a bit geeky, and no-one wants to go through the rigmarole of changing their passwords every couple of months. The attitude that 'It'll be grand' very much prevails.

"Ideally, computer passwords should be at least seven or eight characters long and be composed of upper-case and lower-case alpha-numeric with some punctuation characters thrown in. They should not contain dictionarywords, phone numbers, name derivatives, number plates or rehashed versions of old passwords.

"While not easy to remember, implementing measures such as these on a user level will make it a lot harder to crack a user account than with a password like 'rover' or 'titchlovesdee'."

Leaks are not restricted to highly skilled hackers with malicious intent breaking into a company's database from their bedroom PC.

Corporate information such as this will naturally be securely protected, and dedicated code-crackers will always cause problems.

It is poor IT practice that is the "hidden" risk and may not always be taken into account.

Potential problems range from ex-employees with an axe to grind and who still have remote access to the company network, to prank emails sent from another user's account, which may cause legal problems as well as embarrassment.

New technology brings with it new difficulties. WiFi hotspots are becoming increasingly popular (examples in Ireland include Dublin Airport and the Four Seasons hotel in Ballsbridge), where users with WiFi-compatible PDAs or laptops can sit down and access the internet without a wired connection.

While hotspots have yet to mushroom as they have in the States (where IBM plans to provide wireless access at 1,000 truck stops as it is estimated that about 25 per cent of US truckers travel with a laptop) the Department for Communications has pledged to spread access across the State.

The risk involved is that these wireless networks are not always safe, and it is possible to prey on other users in the locality and steal information.

This led to the phenomenon of "warchalking" in the US, where hackers who found a spot outside an office building where the network extended would chalk a secret symbol on the pavement so that other warchalkers could come along and use the network.

Again, you don't have to be the subject of an underground conspiracy to be caught out. Even with recent security developments such as WiFi Protected Access (WPA), which encrypts data and assigns unique signatures to individual users, company information can be inadvertently transferred or leaked within wireless networks to strangers.

Handhelds and laptops can cause problems if they are connected to the company's central network.

Individual users are more at risk to viruses than big corporations with sophisticated scanning systems, and these can be spread from an individual PDA throughout the system. These gadgets may also be stolen while outside the office and give outsiders access to sensitive data.

The final responsibility lies with the company and its policy, says Mr Fitzgerald. "Employees need to be given a clear security protocol. They can't be expected to keep abreast of the latest patches and dangers. Management need to formulate a secure policy to prevent leaks and attacks.

"It is the responsibility of a good network administration to cycle passwords and enforce password expiry on a regular basis. They should also keep a watchful eye on active and inactive user accounts and the telltale signs of a cracked user account, i.e., increased network traffic on a particular account, attempted remote connections, security and access logs.

"Outdated and insecure technologies, such as telnet, which allow passwords to flow unencrypted across a network, should also be dropped in favour of more secure systems such as SSH.

"You wouldn't ask your IT guy to stay up-to-date with mergers and acquisitions, so why ask the rest of your staff to understand the finer details of data privacy?"