A decade ago, mobile devices were peripheral to business operations. Today, they're often central. Email, collaboration tools, business applications, two-factor authentication—much of work now happens on phones and tablets. Yet mobile security often receives less attention than traditional endpoint security.
The Shift to Mobile
The smartphone in your pocket likely has access to more business information than a desktop computer would have a generation ago. This shift happened gradually, but its security implications are significant:
- Devices travel everywhere, including unsecured locations
- Personal and work activities often mix on the same device
- The attack surface extends beyond the office network
- Loss or theft has immediate data implications
We explored some of the personal device considerations in our article on using personal devices for work.
The BYOD Reality
Many small and medium-sized businesses operate with "bring your own device" arrangements, whether formally or informally. Employees use personal phones for work email, access business apps, and store work files—often without explicit policies governing these practices.
This creates a complex situation: the organization has limited control over devices that access organizational data. Personal devices may lack security controls, run outdated software, or be shared with family members.
Common Mobile Threats
Phishing on Small Screens
Mobile phishing presents particular challenges. Smaller screens make it harder to verify URLs. Email apps may hide sender details. The quick, on-the-go nature of mobile use encourages faster, less careful responses.
We covered phishing fundamentals in our piece on identifying phishing attempts.
Malicious Apps
While official app stores provide some curation, malicious apps still occasionally slip through. More commonly, apps may be legitimate but request excessive permissions, collecting more data than users realize.
We discussed some of these concerns in our article on what business apps reveal.
Network Exposure
Mobile devices connect to various networks throughout the day—home Wi-Fi, coffee shop networks, hotel connections, cellular data. Each presents different security characteristics. Public Wi-Fi in particular creates opportunities for traffic interception.
We explored Wi-Fi security considerations in our piece on public Wi-Fi safety.
Physical Loss
Phones get lost or stolen. A device containing access to email, business apps, and authentication tokens represents significant exposure if it falls into the wrong hands—particularly if not properly secured.
The Authentication Role
Mobile devices now often serve as the second factor in multi-factor authentication. This is generally positive for security, but creates a dependency: if the device is compromised, the second factor may be too.
More sophisticated attacks now specifically target authentication apps and SMS codes. The same device that provides access may receive the codes meant to protect that access.
We discussed MFA considerations in our article on understanding multi-factor authentication.
Platform Differences
iOS and Android take different approaches to security, with implications for business use:
- iOS maintains tighter control over the app ecosystem and device management
- Android offers more flexibility but with more variability in security updates across manufacturers
- Both platforms have improved significantly in recent years
- Older devices on either platform may lack current security features
We touched on some Apple-specific considerations in our article on voice assistant privacy.
The Update Problem
Mobile operating systems and apps receive frequent security updates. But unlike managed corporate computers, personal devices depend on users to install updates—and many users delay or ignore them.
The result is that some devices accessing business resources may be running outdated software with known vulnerabilities.
Location and Tracking
Mobile devices know where they are. This location data can be valuable for business purposes but also represents sensitive information. How this data is collected, used, and protected varies widely by app and platform.
We explored location tracking in our piece on how apps track location.
Thinking Through Mobile Risk
For business owners, mobile security isn't necessarily about implementing complex technical controls. It starts with understanding the landscape:
- What business information is accessible from mobile devices?
- What devices are being used, and who owns them?
- What happens if a device is lost or an employee leaves?
- How are apps and access managed across mobile devices?
Awareness of these questions helps inform decisions about risk tolerance and potential controls.
This article is intended for informational purposes only and does not constitute professional security advice. Organizations should consult with qualified professionals to assess their specific situation.