Mike Rosen is the Chief Information Security Officer (CISO) at iVerify.
Mobile security has long been an afterthought in enterprise environments. While we’ve invested heavily in protecting workstations, networks and cloud infrastructure, mobile devices—despite functioning as fully capable remote workstations—have often been left out of the equation.
That’s no longer sustainable. In 2025, we’re facing a perfect security storm. AI-powered mobile features are reshaping how employees work and how attackers operate, mobile spyware and phishing attacks are growing more sophisticated and more targeted, and new regulations are putting mobile data protection in the spotlight.
As a CISO, I’ve seen how quickly mobile threats can escalate from theoretical to operational risk. The time to rethink how we secure mobile devices for enterprise environments isn’t tomorrow; it’s now!
Mobile Devices: The Most Overlooked Risk Surface
Mobility is deeply embedded in the way we work. Bring-your-own-device (BYOD), hybrid work environments and cloud-first platforms have made mobile devices essential to everyday operations. Today’s phones and tablets are equivalent in processing power to desktops/laptops, and they frequently access sensitive data, such as internal networks, financials and intellectual property.
With power, however, comes risk. Emerging AI integrations blur the lines between convenience and exposure. These tools can access email, documents, messages and more, all in the name of productivity. But in the wrong hands, or used without the right guardrails, they create serious vulnerabilities for enterprises, including:
• Unintentional Data Exposure: AI assistants may process or store sensitive corporate data beyond enterprise control.
• Expanded Attack Surfaces: Integrated apps and cloud services offer more entry points for malicious actors.
• Blind Spots For IT Teams: Mobile activity often falls outside the reach of traditional security tools and policies.
Spyware And Mobile Phishing: The Quiet Surge
In the past year, we’ve seen a sharp increase in mobile-specific threats, particularly spyware and phishing campaigns, aimed squarely at executives and other high-value targets. Based on thousands of new scans analyzed, Pegasus is not just a civil society problem; it’s appearing in the business world. These new detections have mostly targeted executives, who have access to future business dealings, financial data and influential professional networks.
As these victims improve their mobile security posture to address these rising threats, bad actors will look to move further down the chain to get a foothold—like we’ve seen with email phishing that targets everyone in an organization.
Mobile phishing attacks surged in 2024, with 16% of all known phishing incidents originating on mobile devices in the U.S. spear-phishing campaigns are now exploiting mobile behaviors—like tapping links in texts or emails—to quietly compromise credentials and devices. AI-powered social engineering attacks are also becoming more effective, as threat actors can now impersonate assistants, colleagues or business partners with alarming accuracy.
Meanwhile, commercial-grade spyware like Pegasus has shown how devastating a single mobile compromise can be. It allows attackers to access messages, calls and even activate microphones, all without the user’s knowledge. The mobile threat landscape isn’t just growing. It’s evolving fast and quietly.
How Enterprises Can Prepare
Facing this threat landscape, enterprises must take decisive, targeted steps. Here are three places to start:
1. Deploy Mobile-Specific Threat Detection
Traditional endpoint solutions weren’t built for mobile environments. You need tools that can spot mobile-specific threats—like spyware, unusual behavior patterns or compromised device integrity—and take action in real time. This is exceptionally important when traveling to countries where the telecommunications infrastructure is susceptible to man-in-the-middle attacks
Mobile security also needs to move beyond one-time device checks. Continuous verification is key. That’s where zero-trust policies comes in: No device, whether corporate issued or BYOD, should be trusted by default.
2. Employee Training And Mobile Policies
If your security awareness program still focuses mostly on desktop email phishing, it’s time to modernize it. Employees should understand how mobile-specific threats work, including:
• SMS-based phishing (smishing).
• Deepfakes and voice impersonation.
• The risks of using AI chat tools and assistants for work tasks.
At the same time, policies should be just as clear. Set expectations around app permissions, AI features and what’s appropriate to access from a mobile device—especially when sensitive data is involved.
3. Mobile Device Security And Strategy Compliance
Frameworks such as SOC 2, ISO 27001 and GDPR increasingly expect mobile security to be in scope. Regulators understand that mobile devices can access and store the same sensitive data as laptops, so your security controls should reflect that reality. Additionally, ensure your controls around access management, data loss prevention and incident response fully account for mobile endpoints.
Mobile Security Is No Longer Optional
The mobile-first workforce is here to stay, and smart mobile devices will only continue to evolve. Alongside them, a new generation of threats has emerged: smarter, stealthier and more targeted than ever. This convergence of risk isn’t just a passing trend. It’s the cybersecurity storm enterprises must prepare for now.
I believe organizations that continue to treat mobile devices as second-tier assets in their security strategies are taking a big risk with their data, compliance posture and executive safety.
2025 delivers a clear mandate: Rethink your mobile security posture before the storm hits full force. When it comes to mobile threats, assuming devices are secure by default is a risk that businesses can’t afford.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
This post was created with our nice and easy submission form. Create your post!
