Imagine the president at a cabinet meeting or an executive at a board meeting putting his mobile device down on the conference table and not being aware that every word is being heard, at least as long as the perpetrator doesn't say something like "Can you speak up?"
The security experts InfoWorld consulted say that many senior execs -- not just President-Elect Obama -- should be very cautious about when they use their BlackBerrys, at least until better wireless and device security is available. Perhaps they should just give them up, suggests Core Security's Kellerman: "Is it that important to use your 'CrackBerrys' when you know you can't maintain the ultimate control of that device?"
"Mobility is a double-edged sword that most executives don't want to acknowledge. There is a culture of deniability," adds Yoran.
Risks beyond mobile: Crossing national boundaries or using the cloud
Dunkelberger says you should accept that fact that if you are sending data across national boundaries -- such as designing products in one country and building it in another -- governments and competitors can read the proprietary data you may be sending back and forth unless you are using point-to-point encryption. This is true for desktop and wired communication -- not just for wireless or mobile devices.
The increasingly popular cloud-computing option is also risky, Dunkelberger says. The technology is a boon to de-perimeterized executives who want to access corporate applications outside the firewall, but that means sensitive data also lives outside the firewall, beyond your control. If your company uses SaaS (software as a service) or other cloud-type offering, you should ask the service provider how it secures its applications when federated across 50 different systems, Dunkelberger advises. "Do not put [intellectual property] on a SaaS service," he warns.
Traditional Web security products and services filter URLs and can inspect malicious files on downloadable objects. However, now more often Web sites are streaming AJAX-based and other Web applications that launch without user interaction. Most security software checks the file only after it has been downloaded; such software does not protect against malicious code running in the cloud.
"Security professionals should look at security in the cloud and specifically Web security in the cloud, which is critical to being able to protect users on the Web when they leave the office perimeter and access the Web in hotels, airports, at home, or in the office on laptop and mobile device," says Paul Judge, CTO at Purewire, a Web SaaS company.