In a long and illustrious career in both the public and private sectors, Howard Schmidt has earned a reputation for being one of the world’s foremost authorities on computer security.

Schmidt first made a name for himself as an expert in computer crime while working for the FBI. As head of the Bureau’s Computer Exploitation Team, he gained recognition as a pioneer in computer forensics and computer evidence collection. Next he headed up the US Air Force’s Computer Forensic Lab and Computer Crime and Information Warfare Division.

His involvement with national security continued with his appointment in December 2001 as the vice chair of the President’s Critical Infrastructure Protection Board and as the Special Adviser for Cyberspace Security for the White House.

Schmidt has also worked in the private sector. He served as chief information security officer at online auction giant eBay, and as chief security officer for Microsoft, where his duties included forming and directing the Trustworthy Computing Security Strategies Group.

Today, Schmidt divides his time between his role as chief executive of R&H Security Consulting, delivering keynotes and writing. One of his main messages is that the IT industry has to take more responsibility for security. “We have a huge dependency on applications these days, and our expectation is that the suppliers will do more to secure them,” he said. “Or, you can look at the infrastructure that we use, and ask, ‘Why don’t the ISPs just block infections, or bad networks?’.”

But while vendors and service providers have a responsibility to provide security, this does not get users off the hook. “As consumers we have to do things to be better protected. We have to follow through on the work being done by the vendors, and the applications,” he said.

Schmidt said he has been impressed by the steps the industry has taken to combat online threats. “Look at phishing, for example. I have multiple email accounts, but phishing mails only ever end up in my spam folder, not my inbox. Should one get through and I click on the link, I am presented by a warning, and then, should I ignore that, it is likely that my browser will block my access anyway,” he said.

But the threat landscape is constantly changing, Schmidt warned, with mobile applications likely to be the next prime target for hackers. “I don’t carry a laptop around much anymore, but I do carry two mobile devices. Companies are releasing SDKs for developers to use so there are lots of mobile applications out there, but this also means that there are lots of applications for the bad guys to exploit. I don’t know if the industry has put much focus on protecting them,” Schmidt said.

Another problem he has with mobile devices relates to the increasing amount of storage they offer. As business users have come to rely on these devices more and more, so the amount of potentially sensitive data stored on them has increased. “What do you do about encrypting that?” he asked. “Very few manufacturers make software protection for mobiles.”

Schmidt believes organisations are far too reliant on patching to secure their systems ­ a situation that he feels simply cannot be allowed to continue for much longer. “Patching is frustrating, but as we get better at secure coding the need to do this will become less. But now, we have to work in a much more reactive way, applying fixes as and when they are released. Often it can cost more to run a software solution than it does to buy it. We need to be looking forward. Looking for ways to prevent things from happening in the first place, not after they become an issue,” he said.

Asked whether new regulations such as a breach notification law would help to improve standards of system security, Schmidt agreed ­ up to a point. “Breach notifications would be of benefit, but the requirement must be consistent. In the US, individual states make their own [rules] and there is a lot of complexity, which makes things difficult to manage,” he said.

But for Schmidt, the one sure-fire way tominimise online threats is the adoption of two-factor authentication ­ a form of logging on that requires both a password and some form of physical token.

“I said two years ago that passwords and logins should have been declared dead already. People use the same password with their bank and their email accounts, despite the fact that these may not be as secure as each other. [If bad guys get hold of a password] they will try them against all of your accounts,” he said. “If we move away from the log-in/password method a lot of the low-hanging attacks would be reduced.”