You wouldn’t skip handwashing – so why skip mobile security hygiene?

Users display warnings about the use of artificial intelligence (AI), access to malicious software or threats to online hackers. computer cyber security Warning concept or tech scam.
(Image credit: Shutterstock)

Most businesses have a strong focus on maintaining a clean and safe working environment, especially in critical sectors. No medical practitioner who values the lives of their patients would take a shortcut on handwashing and surface sterilization protocols. No one working with hazardous materials who values their own life would skip out on protective equipment. Even in sectors like education and retail, hygiene is still a top priority.

Yet in the same environments where clinical hygiene is maintained, cyber hygiene is often left to chance, especially when it comes to mobile device security.

Mobile devices are no longer just simple communication tools, they are now seen as essential to frontline operations. This means they are also a priority target for cybercriminals searching for weak points to breach corporate networks.

As the mobile threat grows, cybersecurity hygiene needs to be held to the same standard as physical workplace hygiene. It must be routine, deeply embedded, and intolerant of shortcuts - not an afterthought.

Josh Stein

VP of Product Strategy at Jamf.

An expanding threat landscape, but too often poorly defended

Mobile devices such as smartphones, tablets and wearables are considered mission-critical in many sectors. From healthcare to education to energy, workers are increasingly relying on mobile for core operations.

Healthcare clinicians access patient health records via mobile apps, teachers engage their classes through interactive displays, and field engineers manage critical infrastructure through connected devices.

However, while this raft of mobile devices brings more agility and efficiency, it’s also greatly expanding the attack surface of these sectors – and cybercriminals have noticed. The risk facing mobile devices has grown dramatically in recent years, both in volume and sophistication.

Over 33.8 million mobile-specific attacks were detected globally in a single year - a figure that continues to rise as threat actors capitalize on mobile’s expanding footprint in enterprise environments.

These attacks exploit the lapses in cyber hygiene that persist across mobile fleets. Devices are frequently assumed to be safe by default or dismissed as low risk. Mobile devices running outdated operating systems, unpatched applications or lacking endpoint protection are commonplace. Password reuse and the absence of multi-factor authentication (MFA) further elevate the risk.

In many cases, mobile endpoints have become the soft underbelly of the corporate network - widely used, minimally monitored, and inconsistently secured. Just as unwashed hands can carry invisible pathogens, mobile devices can harbor unseen threats. And when routine protections are skipped, exposure becomes inevitable.

Why we still treat mobile differently — and why that’s dangerous

Despite their ubiquity, mobile devices are still perceived as fundamentally different from traditional endpoints.

Most workers have internalized a cautious approach to browsing, installing apps, and clicking incoming files and links when using their desktop and laptop devices, perhaps due to their association with a formal working environment.

However, for many users, mobile is seen as a more personal experience. This encourages a more relaxed attitude, adding to the idea that they’re somehow less “exploitable” than other endpoints.

This perception encourages complacency, with less consideration about potential threats like malicious attachments and applications. Further, mobile devices are often used interchangeably for personal and business tasks, blurring the lines between secure and vulnerable environments.

Threat actors actively exploit this mindset, especially with phishing, which remains the most common and effective method of compromise.

Mobile-specific variants, such as smishing (SMS phishing) and malicious app prompts, are particularly successful due to shortened URLs, limited screen space, and the absence of familiar desktop visual cues. These tactics are often paired with spyware, adware and data-harvesting malware that can linger undetected for long periods.

Organizations can inadvertently reinforce this risky mindset by failing to include mobile in core security strategies. Policies and protections that are standard on other endpoints, from patch management to access controls, may be absent or inconsistently applied on mobile.

This operational divide would never be tolerated in physical settings where protective measures are standardized and enforced across every tool and surface. It’s time for mobile cybersecurity to adopt the same attitude - no exceptions, no assumptions.

Why cyber hygiene must be as routine as handwashing

Many of the vulnerabilities exploited in mobile attacks stem from lapses in basic cyber hygiene - failures entirely preventable with consistent, well-enforced practices. Addressing these gaps doesn’t require breakthrough technology, but rather a disciplined approach to configuration, maintenance, and user behavior.

Mobile devices should be fully integrated into enterprise risk management frameworks, with the same diligence applied to laptops, and servers. That includes vulnerability assessments, asset inventory, incident response planning, and compliance checks.

At a minimum, all mobile devices should be kept up to date with the latest operating system and application patches. This is frequently overlooked, particularly in BYOD environments, where IT has limited visibility or control.

Mobile device management (MDM) or unified endpoint management (UEM) platforms can help organizations enforce policies around software updates, encryption and app whitelisting across every device.

Credential hygiene is equally critical. Strong passwords, enforced MFA, and discouraging reuse across services, all help reduce account-based compromise. Endpoint protection tools that scan for malicious links or payloads should extend beyond desktops and laptops to mobile devices as standard.

User education is an essential component alongside the right tools and policies. Employees must understand how to recognize phishing attempts, avoid unauthorized app installations, and report suspicious activity. Organizations can dramatically reduce their mobile risk exposure when people and policy align.

A strategic reset: treating mobile security as mission-critical

Physical hygiene is upheld as a system-wide discipline in the workplace. It is embedded in training, processes and culture, because the alternative is unacceptable risk. That same principle should govern how we approach mobile security.

Mobile devices now sit at the intersection of convenience and criticality, and treating their security as secondary is no longer viable. These devices are full-fledged endpoints, with access to sensitive systems and information, and they deserve to be treated accordingly.

Like any surgical instrument or critical tool, mobile assets must be kept clean, controlled, and protected, without exception.

We list the best small and medium business (SMB) firewall software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

TOPICS

VP of Product Strategy at Jamf.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.