Human Risk Multiplier: How Mobile Devices Expand Enterprise Attack Surfaces

Modern businesses are more reliant on mobile devices than ever before. Employees need smartphones and tablets for communication, productivity, and even security authentication. As remote and hybrid work setups become more common, mobile technology is necessary for keeping workers connected to their organizations. At the same time, these devices expose a weak link in the cybersecurity chain: the human layer.

We treat our mobile devices as extensions of ourselves, carrying them with us at all times and consulting them anytime we have a minute or two to spare. Not only do we trust almost every notification, message, and request that comes our way, but we also tend to respond to them as quickly as possible. Threat actors are well aware of this.

Protecting an organization means protecting its mobile devices that access its proprietary data. With an AI-powered, mobile-forward endpoint detection and response (EDR) solution, smartphones and tablets can be productivity tools without also being cybersecurity risks.

The evolution of mobile risks

Threat actors used to rely on “spray and pray” methods, sending generic phishing messages to every member of an organization in the hopes that one or two people would fall for the ruse. To a trained employee, these scams can be identified , with careless typos in the text and obvious character swaps in the URLs. Still, 77% of organizations have experienced an attack in the past six months.

But phishing techniques have evolved. Instead of sending sloppy, generic emails, threat actors can use powerful generative artificial intelligence (GenAI) tools to create convincing messages. While most cybersecurity professionals acknowledge the risk of AI-powered social engineering, only 33% of organizations currently have a plan to offer training on the topic.

In addition to email, mobile devices provide threat actors with other avenues of attack:

• Short Message Service (SMS) phishing, or smishing, targets users via text messages. Texting tends to get less scrutiny and faster responses than email.
• Voice phishing, or vishing, happens via phone calls. Threat actors can impersonate trusted colleagues or institutions, then wheedle information out of targets in real time.
• Executive Impersonation, also called CEO fraud or whaling, is a form of phishing where a threat actor pretends to be a high-ranking official in the target’s organization. They coerce victims into giving sensitive information under threat of punishment.

Defending mobile devices

Mobile devices are especially tricky to defend in a professional setting. Many organizations, especially those with hybrid workforces, offer bring-your-own-device (BYOD) policies, which allow employees to use their personal smartphones and tablets for work. While that’s convenient for employees, texting, online messaging, social media, and email apps represent ideal vectors for social engineering, and a compromised device is a rich source of sensitive data, both locally and in the cloud.

To protect both employees and information, organizations need visibility into the devices, apps, and communications in their mobile fleet. At the same time, privacy is important. No one wants an IT administrator to have access to every website they’ve visited or message they’ve sent. It’s a classic situation of balancing what employees want with what the organization needs.

Many organizations already have EDR tools and strategies in place to manage endpoints like laptops, desktops, and servers. However, given the radical difference in architecture between traditional and mobile devices, dedicated mobile EDR solutions are necessary to gain the security and visibility required.

These tools are capable of analyzing device activity, with a focus on mobile-focused malware, credential theft, social engineering and abnormal communication patterns. The best of these solutions lean on AI-powered algorithms connected to a large database of known and emerging malicious apps and hosts to provide real-time alerts, allowing security teams to respond to potential intrusion attempts before they spread.

The very nature of BYOD policies all but ensures an amorphous threat landscape. Implementing a mobile EDR solution allows you to keep your organization’s network safe, even if you can’t personally lock down every single device your employees use. Round out your security infrastructure with enhanced training sessions that inform employees of the shifting nature of phishing, smishing, and other social engineering attacks, and give them best practices on how to detect and notify your team of potential attacks. This one-two punch will offer the best defense against the evolving mobile threat landscape.

The future of enterprise-level attacks

Over the past year, threat actors have been shifting toward using mobile devices as an initial foothold for a broader attack on enterprise infrastructure similar to the high-profile intrusion into MGM and Caesars casinos in Las Vegas, Google, and Cisco. The need for an always-connected workforce means mobile device use is only going to expand, and threat actors will continue to see it as fertile ground for attack well into the future.

The only way CISOs can keep up with this growing attack surface and protect against more sophisticated social engineering attempts is through the implementation of an AI-first mobile EDR solution. Upgrading the security stack with a mobile-forward approach that offers real-time visibility into an array of smart devices is an essential step toward safeguarding an organization’s front lines, reducing the risk of human error by cutting off the potential for intrusion right at the root.