"Businesses aren’t taking it seriously": Why attackers love phones more than laptops
"This issue isn’t about complexity. It’s about failing to do the basics and leaving the door wide open."
Like the proverbial rat in London, you’re never more than a few feet away from a mobile device in the workplace.
But as the usage of phones and other gadgets has surged, protections around them have fallen behind.
Too often, mobile security is treated as an afterthought compared with desktops or servers, leaving attackers with a relatively easy way into an organisation's network.
How can organisations lock down this growing attack vector?
To find out, we spoke to Adam Boynton, Senior Security Strategy Manager at Jamf, who told us why mobile is proving so attractive to attackers, how poor cyber hygiene continues to fuel the problem and what steps businesses can take to regain the upper hand.
Is mobile a ticking time bomb for businesses?
It’s fair to say that mobile is one of the easiest ways into an organisation right now, and a lot of businesses aren’t taking it seriously. The issue is that mobile use has absolutely exploded, but policies and mindsets haven’t really kept pace.
A few years ago, mobile was seen as a companion to laptop and desktop devices. You might fire off a few emails on the train, but it was usually a nice-to-have. Now, mobile is essential. In fact, in many industries – retail checkouts, healthcare records, logistics – mobile is the first and often only device employees rely on.
But it’s also common to find these devices receiving less attention than traditional endpoints. We routinely see that mobile devices have weaker security management than their desktop counterparts, and users are typically more casual and less careful.
And the cybercriminal gangs are very much aware of this. We saw nearly ten million phishing attempts against a sample of 1.4 million mobile devices in just a single year, with one in ten users clicking a malicious link. With those odds, a breach is only a matter of time.
Is cyber hygiene getting worse and why?
Unfortunately, it seems to be the case. We’re seeing some fairly widespread cracks in the foundational security basics, with security patching being a particular weakness.
Mobile operators push regular security updates, sometimes multiple times a month, yet many devices go unpatched for weeks or even many months.
Our data shows that more than half of all mobile devices used for work are running a vulnerable operating system, and almost a third of organisations have at least one device with a patchable, critical flaw. Around 4.8% of Android devices with known flaws were still allowed to access company resources.
READ MORE: Europe's energy systems are frighteningly vulnerable to Russian hybrid attack, EU warns
Sometimes these delays are because organisations often delay updates because they need to test business apps or because they’re managing such a diverse fleet of devices. But whatever the reasoning, these delays create windows of opportunity that attackers are quick to exploit.
They don’t even need to burn a new zero-day exploit while so many devices are running with old and easily accessible vulnerabilities.
This hygiene issue isn’t about complexity. It’s about failing to do the basics consistently – and that’s what leaves the door wide open.
How does the psychological divide between mobile and desktop influence perceptions of security?
One of the biggest challenges we see is how differently people treat their devices. When working on a laptop, most of us are cautious: we hover over links, check file types before downloading, and second-guess anything that feels unusual. On a mobile, that caution often disappears.
It may be partly a matter of familiarity – we’re all using smartphones and tablets constantly in our personal lives, so work devices can just feel like an extension of this.
On a practical level, the smaller screens make it harder to spot suspicious details, and often, multitasking with divided attention, especially if we’re on the move. That’s when attackers strike.
It’s a huge advantage for attackers using phishing tactics, and we saw around 25% of businesses suffering a social engineering attack over mobile in the course of a year. Attackers lean into brand familiarity – faking messages from Amazon, Outlook, DHL, Netflix or WhatsApp – because they know mobiles blur the line between personal and work use. People trust their phones implicitly, and that trust is exactly what attackers exploit.
This divide has created an odd situation where mobile is seen as personal, casual and somehow safer, when in reality it’s now the most targeted endpoint.
Why is there no one-stop shop or tool to prevent you from becoming a victim?
Because mobile threats come at you from every angle. The attackers don’t just rely on one technique – they use phishing messages, exploit unpatched software, sneak malicious apps into app stores, or push spyware at high-profile targets.
Even the most secure platforms can’t close off every avenue. For example, the EU’s Digital Markets Act now allows alternative app stores, which grants more freedom but also opens the door to apps that haven’t been through the same security checks as those on official app stores
That’s why mobile security can’t be solved with a single product or switch. Instead, we need multiple layers of defence.
READ MORE: "We need agreed guidelines": How to prevent AI tools from causing harm
That means patching devices quickly to close known gaps, blocking malicious domains to disrupt phishing campaigns, and applying multi-factor authentication and encryption to protect accounts and communications.
It also means vetting apps carefully and restricting sideloading, while using mobile device management tools to enforce compliance before a device can connect to sensitive systems.
Education is also extremely important here. If users really understood how at-risk their mobiles are, they will be more likely to use caution and follow the right processes instead of looking for shortcuts.
Are the bad guys winning and do the good guys have a chance?
Attackers are certainly resourceful. While many attacks are simply exploiting known exploits, around 2% of the 10 million attacks we tracked involved zero-days. Add to that the growth of spyware, with Apple sending threat notifications to users in more than 150 countries last year, and it’s clear the bad guys are not short on resources or opportunities.
But that doesn’t mean the defenders are doomed.
The good guys win by getting the fundamentals right. Most attackers are opportunists thriving on neglected basics, not brilliance. If we raise our standards and embed mobile into the core of our security strategy, businesses can absolutely turn the tide and cut off the vast majority of attacks.
A layered defence that includes consistent user education, device management, and effective patching hygiene will ensure that threat actors face multiple barriers to entry and can’t count on mobile leaving the door open.
