Recent news that employees working in government departments have lost or mislaid over 1,000 laptops, more than 500 phones or mobile email gadgets and over 700 other mobile devices—probably memory sticks, cameras and so on—is no surprise. Mobile security, despite all the technology that can be applied, is reliant upon the attitudes of individuals, and past Quocirca research has shown that this is often pretty lax—from the top down.

Those that carry the gadget need to feel they carry the can for the care of the mobile tools provided to them for their work, and this has to be encouraged with the right messages from the top. The attitude of "get away with whatever we can as long as it is within the rules" that appears to pervade the upper echelons of the public sector—in particular, politicians—does not bode well for getting juniors to remember not to leave their BlackBerry in the back of a taxi or on a seat in the local coffee shop.

These devices carry increasingly large amounts of data as well as potentially granting network access to further restricted services or applications. While the use of passwords, PINs and encryption should prevent the contents from being casually photographed from across the street—unlike plain paper documents—many users left to their own devices are pretty lax with their use of password and PIN protection, and even authenticated users will often allow anyone to inadvertently see the contents of their screens.

Of course systems and technology can be put in place to coerce or compel users into more secure practices. But we all know what happens if this is pushed too hard without any buy-in or user acceptable automation. Forcing users to change passwords every month means they oscillate between two rather than constantly create new ones, making them use complex random sequences means they will write them down, and mandating the use of numbers as well as letters will mean all too simple substitution—e.g. '3' for 'e' - and guess how difficult that is to crack with brute force?

Even sophisticated security software does not fix the problem of hardware being mislaid, and if over-engineered may introduce layers of options that are difficult to implement and do little to create a positive user attitude. When a software vendor in the 1990s touted 256 possible levels of security, the vast majority of implementations consisted of only two—full on, or full off. Too much choice leads to complexity and problems, making it harder to explain to the workforce how they should operate.

Security strategy for information and devices on the move needs to be simple and consistent. Outside of the control of the workplace it is critical to encourage an attitude of physical care first—keep secret information from prying eyes and pay extra attention to small or vulnerable items. Technology can then be used to support good user behaviour as transparently as possible and policy should be put in place and over communicated to reinforce correct behaviours, and punish poor ones.

Finally, this has to be driven and endorsed from the top, as senior managers (including senior politicians for the public sector) set the tone, which other employees will follow. The issue of dealing with information security on the move should be permanently in the back of everyone's mind, and not just brought to the forefront when a leak or breach occurs—or when one appears in the media.