By Adam Boynton
Mobile devices are critical to the daily operations of many businesses, which makes them a target for cybercriminals. However, the security standards of mobile devices continue to be poor. Adam Boynton explains the security weaknesses seen in mobile devices and how organisations can secure their mobile fleet.
Mobile devices now sit at the heart of enterprise productivity and growth. For many employees, the smartphone is their primary work device, the link to colleagues, systems, and customers. Entire industries would grind to a halt without them. Yet while companies have raced ahead with mobile-first strategies, the security underpinning these devices has too often lagged behind.
A latest report shows the consequences clearly: outdated software, rampant phishing, and widespread mobile misconfigurations are creating some of the most attractive attack surfaces in business today. The uncomfortable truth is that mobile security is rarely treated as a board-level issue. It should be.
The blind spot in enterprise security
The mindset around mobile devices remains contradictory. These tools are indispensable, but in many workplaces, they are still treated as accessories rather than strategic assets. Their consumer origins reinforce this perception. We carry the same device in our pocket that we use to approve a million-pound transaction.
This underestimation is dangerous. Smaller screens make phishing links harder to detect, shortened URLs obscure malicious domains, and the blend of personal and professional use lowers vigilance further. Employees multitask, approve prompts casually, and connect across unsecured networks.
In reality, mobiles are gateways to intellectual property, financial systems, and sensitive data. A compromise here can be as damaging as a breach through any server or laptop. What is missing is the cultural recognition that mobiles need governance and resilience, not just convenience.
Where attackers are striking
Threat actors have wasted no time exploiting these blind spots.
- Phishing remains the leading attack vector. Research found mobile phishing attempts are up to 50% more effective than desktop equivalents, exploiting both screen size and user behaviour. Over twelve months, we tracked nearly ten million phishing attempts across just 1.4 million devices. One in ten users clicked on a malicious link.
- Outdated operating systems are common. More than half of workplace devices run on vulnerable OS versions, with nearly a third of organisations operating at least one device with a critical, patchable flaw.
- Exploitable vulnerabilities are widespread. High-impact flaws like CVE-2025-43300, which allows remote code execution on iOS, are stark reminders that failing to patch can expose an entire enterprise to compromise.
- High-value targets are in play. Executives and policymakers remain prime targets for spyware that can silently capture emails, corporate messages, and even multi-factor authentication codes.
The sophistication of these threats varies. What makes them effective is not novelty but negligence. Fundamental protections too often go undone.
The compliance crunch
The risks extend far beyond downtime or data theft. Europe’s regulatory landscape is tightening. Frameworks such as DORA and NIS2 mandate resilience across all digital assets, and mobile endpoints are firmly included.
Unpatched devices, weak authentication, and casual security processes will not withstand regulatory scrutiny. Beyond penalties, they risk reputational damage and loss of customer trust.
Boards can no longer treat mobile security as a matter for IT alone. Regulators expect governance, accountability, and demonstrable resilience. The liability increasingly rests with leadership.
No silver bullet: why layered defence matters
There is no single product or control that can guarantee mobile security. Attackers often chain weaknesses. A phishing link opens the door, an outdated OS keeps it ajar, and a malicious app walks through it.
A layered approach is therefore essential:
- Patch relentlessly and prioritise vulnerabilities by context, not just severity.
- Deploy MDMÂ to enforce updates, control configurations, and manage risk consistently.
- Enable MFA everywhere to make stolen credentials less useful.
- Block malicious domains and vet apps to disrupt phishing and fraudulent software.
- Encrypt data so sensitive information remains protected even if a device is compromised.
Technology is only one layer. Employee behaviour is equally critical. Casual clicks and delayed updates undermine the strongest controls. Security awareness and cultural change must sit alongside technical safeguards.
Culture, governance, and resilience
Closing the mobile security gap requires both cultural alignment and corporate governance. That means:
- Awareness campaigns that make phishing and social engineering visible risks, not abstract concepts.
- Training that equips employees to recognise warning signs and act responsibly.
- Leadership that treats mobile security with the same seriousness as audits or compliance reviews.
Education and enforcement must move in lockstep. One without the other is insufficient.
A boardroom priority
Mobile devices are now inseparable from how organisations operate, innovate, and grow. They are also prime entry points for attackers. What determines outcomes is not whether mobile will be targeted, but whether businesses have taken the right steps to prepare.
Boards must treat mobile security as a governance issue, not a technical afterthought. By embedding layered defences, cultural awareness, and executive accountability, enterprises can transform mobility from an overlooked liability into a resilient, well-managed asset.
The message is clear: if mobile drives your business, it must also drive your security strategy.
Adam Boynton
