Engineers tend to get caught up in the bits and bytes of how to protect their networks. That's natural, but it can obscure the most obvious thing: The most important element of security is the person pushing the buttons and holding the phone.
This thought struck us as we read a few recent stories. One was a well done but fairly generic wireless security piece at Wi-Fi Planet. The assumption in the story is that steps must be taken for when, not if, a device is lost or stolen. The other piece is a blog describing the unhappy -- but amusing -- experience of a Dark Reading senior editor when she made the mistake of using a public Wi-Fi kiosk at the recent Black Hat conference. We could have told her it was a bad idea.
A third story, at IT Pro, details how to secure Bluetooth. Again, the underlying theme is that there are a lot of ways in which operator error, ignorance or laziness increase the odds of -- if not downright cause -- security breaches. The biggest problem is that unless settings are changed, Bluetooth broadcasts its availability to everyone, including hackers who happen to be in the neighborhood. It's up to the operator to change the default setting -- but few do.
It seems that IT departments can employ two overlapping, imperfect strategies. One is management-based. Organizations must implement strong security policies (perhaps stronger than those in place today), back them with education, and encourage user involvement. The bookend approach is technology-based. It involves strong encryption, software that remotely wipes data off devices that are lost or stolen, and other measures.
Both strategies have significant shortfalls. Human error and misjudgment can't be eradicated. Indeed, phishing and other social engineering attacks -- both general and mobile device-specific -- will get worse over time.
Likewise, hackers and crackers always will be searching for ways to defeat security software -- and in too many cases they will succeed. In the final analysis, the effectiveness of these strategies depends on the user. Together -- and with an engaged user population -- mobile devices can be reasonably well protected.