Security personnel, heal thyself.
That phrase came to mind as we read this article in PC World. The story details the sloppiness of IT personnel attending the RSA Conference earlier this month in San Francisco. Seems that, again, those charged with securing mobile devices are doing no better job of following the rules than run-of-the-mill mobilized employees.
On one level, of course, this is funny. Indeed, stories like this emerge from every security conference. Security folks, intent on either proving a point or showing up their colleagues (or both), show that a high percentage of the portable devices at the conclave are vulnerable. That raises an important question: Why should we believe what they tell us to do, since they don't take their own medicine?
A Techworld story we saw last week drives home the point that we live in world in which half-hearted efforts won't do. The piece focuses on Canvas, a new tool from Immunity, that can bombard a wireless network with hundreds of known hacker initiatives (or "exploits"). The scary thing is that the tool is just as valuable for the bad guys as it is for the good. Indeed, the story carries comments from ZDNet that say that buyers are screened so that the devices won't end up in the wrong hands. Somehow, that doesn't make us feel better.
The reality is that ultimate responsibility for security rests on the user and not the IT department. It's up to IT to provide up-to-date tools, to make sure devices are patched and otherwise keep the technology shipshape. But that all means nothing if users aren't with the program.
During the past year or so, a number of products and services have emerged to make security as passive as possible for the end user. While we see the logic of such an approach, the unintended byproduct may be that users feel they need to do nothing at all. This isn't true. Everyone who steps outside of the office holding a smartphone, laptop or PDA must follow basic security steps and strive to avoid careless mistakes. Unfortunately, recent events show that these errors still are common. Smart mobile use is the responsibility of users -- whether or not those users are in the IT department.