One reason for mobile's higher risk has to do with the stability of the desktop environment versus the ever-changing designs of mobile devices, says John Pescatore, a senior security analyst with Gartner and a former member of the Secret Service. The hardware for the PC hasn't really changed much in 20 years, so security experts have had the time they needed to develop systems that are highly secure. At many businesses, the only platform that security administrators have to worry about is a Windows-based PC, and having just one platform to focus on makes it much easier to manage potential threats, he notes. By comparison, the vast majority of mobile devices have unique, proprietary hardware platforms and their own set of operating systems.
In the mobile world, "the BlackBerry and the iPhone are the closest examples we have to a controlled platform," Pescatore notes. That control is good, he adds: "RIM and Apple build both the hardware and software, making them the most secure handheld platforms."
Pescatore says the RIM BlackBerry is the safest device to use for e-mail, as long as you also deploy strict policies with encryption of mail over the air. He also said while the iPhone isn't yet as secure as the BlackBerry, it could be made just as secure if Apple chooses to make it so.
But even with the BlackBerry's and iPhone's advantages, several security experts aren't sanguine about the use of handhelds to carry sensitive data.
Encryption, or lack of it, is perhaps one of the main reasons mobile devices have what PGP's Dunkelberger calls a "higher threat ratio" than desktops. Most information sent in an IM, for example, is in the clear, unless point-to-point encryption is used.
Dan Hoffman, CTO of security vendor SMobile Systems, says that if he is given access to a mobile device, perhaps left behind in a hotel room or at a meeting, he can pull data off that device in about 34 seconds and at the same time install Trojan malware.
One such hacker tool, called CSI (Cell Seizure Instigator), automatically downloads everything on the device. It is legal and can be purchased on the Internet for about $200.
Another mobile spy tool out of Bangkok, called FlexiSpy, can do a lot more than monitor cheating spouses, which is what it is marketed for. Once installed on a mobile device, FlexiSpy can intercept every e-mail and SMS message, track where a person is, and -- most dramatic of all -- listen to conversations without the user ever being able to detect that the microphone is turned on, says Hoffman.
Imagine the president at a cabinet meeting or an executive at a board meeting putting his mobile device down on the conference table and not being aware that every word is being heard, at least as long as the perpetrator doesn't say something like "Can you speak up?"
The security experts InfoWorld consulted say that many senior execs -- not just President-Elect Obama -- should be very cautious about when they use their BlackBerrys, at least until better wireless and device security is available. Perhaps they should just give them up, suggests Core Security's Kellerman: "Is it that important to use your 'CrackBerrys' when you know you can't maintain the ultimate control of that device?"
"Mobility is a double-edged sword that most executives don't want to acknowledge. There is a culture of deniability," adds Yoran.