The modern enterprise is far more mobile than it used to be. Trends like Bring Your Own Device (BYOD) and Company Owned, Personally Enabled (COPE), hybrid working and enterprise mobility initiatives have been picking up pace, allowing mobile devices to access and interact with enterprise data systems like never before. According to Verizon, more than half (55%) of organizations have more mobile device users than they did 12 months ago, and Zimperium claims more than 70% of employees use smartphones for work-related tasks.

The mobile app sprawl is also exploding. The average smartphone user has about 80 apps installed, clicking those icons 144 times daily. While this increased mobility and device connectivity has led to major productivity gains, it has also ushered in a range of mobile-related threats.

Five Major Mobile Threats Facing Organizations Today

In-depth research by Zimperium (PDF) identified the most dangerous mobile threats facing organizations today including mobile phishing, side-loaded apps, and poor application vetting.

1. Mishing

Threat actors have evolved their phishing tactics to target phones over traditional devices (a.k.a. “mishing”). Zimperium’s research found that roughly 82% of phishing websites have content that’s specifically designed and formatted for mobile users. Moreover, due to the small screen size and lack of visual indicators (e.g., hidden URL bars), it’s difficult for ordinary users to identify phishing attempts. Attackers use multiple phishing vectors to target users such as email, SMS (smishing), voice (vishing), QR codes (quishing), social media, and malvertising.

In 2023, about one in four users clicked at least one phishing link every quarter.

2. Mobile Malware

When users visit harmful websites, download malicious software or install malicious apps, their devices become infected with such things as spyware, trojans, mobile ransomware and mobile banking malware.  The malware can be programmed to monitor user activity, track user location, send unauthorized messages, steal sensitive data, and encrypt or erase data.

Researchers from Zscaler identified 200 malicious apps on the Google Play store that were downloaded 8 million times.

3. Side-loaded Apps

Sideloading refers to the process of installing mobile apps from sources that are outside official app stores. Since personal and professional boundaries blur, sideloaded apps are increasingly surfacing on personal devices used for work. An estimated 18% of users engage in sideloading. Regulations like the Digital Markets Act will soon make sideloading more prominent.

Sideloading is a major contributor to malware risk: users that sideload are far more likely to be infected compared to those who do not.

4. Platform Vulnerabilities

In an ideal world, all mobile devices would run the latest patches and versions of operating systems and applications. Forbes reported 500 million outdated Android devices are susceptible to attacks. According to Jamf, around 40% of mobile users run devices with known weaknesses. Without receiving critical security patches and OS updates, mobile devices are open to exploitation by threat actors who profit from known vulnerabilities to gain unauthorized access, steal sensitive data, or deploy malware.

5. Poor Application Vetting

Enterprises are connected to devices that contain a mix bag of in-house developed applications, third-party apps and personal use applications. Many of these applications make requests for location access and Bluetooth connections; they store data insecurely, communicate in a way that might leak data, are easy to reverse engineer, or use third-party code that is unsafe. If these applications are not vetted for security risks it may lead to major security, privacy or compliance failure.

Why Enterprises Find Mobile Risk Hard To Handle

Using the same desktops and laptops for both work and play is not something new. However, mobile phones present a different ball game. Every device has a unique risk posture – the end user decides which applications are on the device and not the IT team; phones cannot be locked down without the user’s consent and IT cannot force users to update the OS.

There are virtually an unlimited combination of device hardware and operating systems that complicate cybersecurity efforts. Mobile phones are constantly exposed to a shifting environment such as unsecure public Wi-Fi, malicious apps, phishing, malware, etc. Many smartphone users avoid anti-virus protection and some avoid using passcodes. For these reasons and others, organizations find it difficult to assess, monitor and mitigate mobile risk.

How Can Organizations Deal With Mobile Security Risks?

While no silver bullet can apply to this problem, best practices that can help reduce mobile risk exposure include:

• Awareness, training and education: Double down on efforts to educate users on the very real risks associated with phishing attacks. Train how to recognize and report suspicious links, websites, texts, messages.
• Cybersecurity Tools: Deploy on-device cybersecurity systems (like mobile threat defense) which can help detect and block mobile malware, phishing URLs, and network threats in real-time. Use mobile device management tools that enable centralized control over app installations, security settings, and remote wiping of devices.
• Network Access Control: Block network access for unpatched, outdated and unsupported mobile devices and their operating systems.
• Stronger Authentication: Use phishing-resistant multi-factor authentication while accessing sensitive data and applications from mobile devices. This makes it more difficult for hackers to gain unauthorized access.
• Robust Application Vetting: Establish a vetting process to evaluate and approve installation of mobile applications. This includes assessing app permissions, user feedback and verifying the reputation of the app developer.

Without a doubt, the future of work is mobile. Organizations that get serious about these risks and take proactive measures to safeguard data and protect users will not only reduce business risk but also boost trust and confidence in their employees, customers, business partners and investors.