Mobile: the endpoint you forgot to secure

Josh Stein at Jamf explains why mobile is the new blind spot in enterprise security

 

Very few businesses can get by without mobile devices today. From retailers providing mobile POS to clinicians updating patient records and engineers managing critical infrastructure, smartphones and tablets are integral to daily workflows everywhere you look. And that’s without even counting all the people checking their emails on their phones. 

 

Yet despite their ubiquity, they remain the most overlooked security risk in many organisations. 

 

While desktops, servers and cloud environments are subject to stringent protections, mobile endpoints are often left to chance, either assumed to be secure by default or treated as low-priority risks. This assumption is dangerously outdated. With mobile devices now frontline assets in any enterprise, they must be secured as such.

 

Mobile is mission-critical – threat actors know it

Mobile devices have long since stopped being auxiliary tools or ‘nice to have’ assets - they’re central to operations in nearly every sector. From standard smartphones to specialist devices, mobile endpoints keep workflows moving.

 

And just like any high-value asset, they attract attention from cyber-criminals looking for ways to breach and disrupt their victims. More than 33.8 million mobile-specific attacks were recorded globally in just one year, and all signs point to this number continuing to rise. 

 

These aren’t incidental threats: smishing (SMS phishing), spyware, adware and malicious app-based payloads are explicitly designed to evade mobile defences and exploit user behaviour.

Yet many organisations still fail to see mobile devices as legitimate attack surfaces. This blind spot is precisely what makes them so attractive to attackers - offering high access, low visibility.

 

Why do outdated mindsets still persist?

Part of the problem is cultural. In most enterprises, security protocols are built around traditional infrastructure such as servers, desktops, and managed networks. Mobile often sits awkwardly outside this framework, frequently perceived as either too personal or too peripheral to matter.

 

This creates a dangerous double standard. Most personnel are cautious on their laptops - suspicious of unknown links, hesitant with downloads. But when these same wary workers take out their mobiles, they’re far more relaxed. The interface is familiar, the boundaries blur, and the risks are misjudged. This mindset encourages complacency, and attackers know it.

 

Organisations unintentionally reinforce this by failing to enforce equivalent controls on mobile. There’s rarely the same rigour in patching, monitoring, or credential hygiene. And so mobile becomes the endpoint everyone forgot - a gap in the armour that grows wider with every new device added to the network.

 

How attackers are exploiting the gap

Threat actors have been quick to take advantage of the lower standards of mobile security hygiene. Many groups are deploying tactics specifically tailored to exploit the awareness gap and facilitate a breach.

 

The more casual atmosphere surrounding mobile use creates an ideal environment for social engineering, and phishing is one of the most prevalent issues. Malicious messages on mobile are harder to spot, with short URLs, no hover previews, and minimal visual cues. Smishing messages, meanwhile, bypass typical email filters and prey on urgency and trust. Users inherently feel safe on their phones and are more likely to respond quickly, especially outside work hours, and attackers are capitalising on this immediacy.

 

Meanwhile, technical vulnerabilities such as outdated OS versions, unpatched apps, and a lack of MFA persist at scale. In bring-your-own-device (BYOD) environments, visibility is even lower. Mobile endpoints often connect to the same systems as laptops, but with fewer checks, less control, and more assumptions. That makes them the softest target in the enterprise, and the easiest way in.

 

Building better mobile cyber-hygiene

The good news is this gap can be closed — but only if mobile is treated as equal, not exceptional.

 

That means enforcing the foundations of good security hygiene first, including up-to-date software, managed configurations, and proper credential policies. Mobile device management (MDM) or unified endpoint management (UEM) platforms can help establish the centralised control needed to push patches, whitelist apps, encrypt data, and enforce compliance. This can cover the entire mobile fleet, including both corporate-issue devices and BOYD.

 

Credential hygiene must also be standardised, as weak or reused passwords and the absence of MFA remain common mobile risks. Security teams should treat mobile identity management with the same seriousness as they do for desktop logins and VPN access.

 

Finally, education is crucial. Employees need to understand how mobile phishing works, why app permissions matter, and how to spot signs of compromise. Cyber-hygiene doesn’t just come from a tech toolkit; it must also be user habit. But it won’t take root unless organisations signal that mobile security is non-negotiable.

 

Mobile is an endpoint — treat it like one

The biggest risk in mobile security is not malware, phishing, or spyware. It’s the assumption that these devices don’t need the same level of protection as other endpoints. That assumption persists in too many boardrooms, budgets, and risk strategies.

 

From security strategies to individual users, everyone must stop thinking of mobile devices as optional extras. They are core access points to sensitive systems and data, and the fact that they don’t sit on a desk doesn’t mean they’re not in the network.  If they’re not secured, they’re not just vulnerable — they’re already a liability.

 

---

 

Josh Stein is VP Product Strategy, Security at Jamf

 

Main image courtesy of iStockPhoto.com and Tero Vesalainen