With the number of information technology security threats constantly on the rise in the war between hackers and the security industry, experts warn that one major loophole often goes unsolved: the user. But while the security industry is quick to point fingers, they also concede that they have a role to play in educating users about how to protect themselves. 'The Confickr [worm] story tells you that regular security audits and user awareness are crucial despite the millions invested in the hardware and software solutions,' said Kenneth Lo, an executive at Version2, the Hong Kong distributor of ESET Nod32 security software. 'It's easy for the average person to inappropriately operate their computer and expose their system to threats. The fact is that there is no magic bullet for an average person with no security knowledge.' Instead, they recommend a range of actions that users can take to keep safe. One of the keys to eliminating security risks was reinforcing legitimate behaviour, said Gerald Hong, a director at Lapcom, which distributes Kaspersky security software. 'Using legitimate software is the first step in protecting yourself. If you are using a pirated version, the updates are often disabled and this means vulnerabilities are never patched and the door is left wide open for hackers,' Mr Hong said. He estimated that about 30 to 40 per cent of all software used by consumers in Hong Kong is pirated - an improvement over previous years. Peer-to-peer sharing websites are another significant source of viruses and should be avoided. Mr Hong recommended using proactive detection engines and additional measures such as a personal firewalls and antispam software. Mr Lo said the internet was the most common source of malware, and warned users to ensure that the websites they used were authentic and had not been hijacked as part of a phishing scam, or were distributing malicious code. Good antivirus software will help in this process but you can double check by visiting sites such as www.internic.net , which will tell you if the domain is actually owned by the organisation it claims to be. The authenticity of applications can also be checked at sites such as www.bit9.com . 'Good password policy is another old trick that everyone should follow,' Mr Lo said. 'It's constructive to use different passwords for computer and online services. Also, practise changing passwords regularly, and avoid simple passwords, especially those that are easily guessed, such as 123456, birthdays and phone numbers.' Finally, knowing when your security has been compromised is key, especially as malware is designed to operate unobtrusively. Some of the warning signs include: security software missing from the system tray; inability to access the security software publisher's website; high number of pop-ups; web browser homepage is no longer the same as before; automatic operating system updates are disabled; slow start-up; and additional items in the system tray. 'As a normal user, if you see the above symptoms, try to run the Windows System Restore to undo changes; run an online antivirus scanner; or seek advice from security vendors,' Mr Lo said.