The use of employee mobile devices at work, known as bring your own device (BYOD), is a significant and growing threat to organizational security, according to Verizon’s 2024 Mobile Security Index (MSI).

According to the report, 37% of employees in organizations that ban or lack a public Wi-Fi policy use it anyway, contributing to heightened security risks.

The findings also showed a sharp rise in mobile device threats, with 85% of respondents noting an increase over the past year.

A quarter of mobile users admitted they clicked on at least one phishing link per quarter in 2023, while more than three quarters (77%) of survey respondents said they believe AI-driven attacks like deepfakes and SMS phishing are likely to succeed.

Critical infrastructure sectors, including energy, healthcare and manufacturing, are particularly vulnerable, with 86% reporting a rise in mobile and IoT security risks.

Mike Caralis, vice president of Verizon Business, explained organizations in critical infrastructure sectors, which are crucial to national security and public safety as outlined by NIST, need a solid, strategic approach to address mobile and IoT security risks.

“Given their essential role and the widespread use of IoT devices, these sectors are particularly vulnerable to advanced threats that could disrupt operations, harm revenue, damage reputations, and even affect public health and safety,” he said.

He pointed out that simply being aware of these risks isn’t enough; unknown, unmanaged and unmonitored devices can create significant security gaps.

“To combat this, organizations must ensure complete visibility into all IoT projects and enforce strict standards for mobile and device security, network segmentation and data encryption,” Caralis said.

Ongoing education about credential theft, basic security practices and vigilance is crucial, as is cultivating a strong cybersecurity culture.

“This comprehensive approach is vital not just for critical infrastructure sectors but for all industries, requiring a united effort from both public and private sectors to effectively counter evolving threats,” he said.

The report found that 84% of organizations have increased mobile security spending, and 89% of critical infrastructure respondents plan to boost investments further.

Caralis cautioned insecure connectivity, whether from public Wi-Fi, home networks, or even cellular connections, can put sensitive data at risk and compromise confidentiality.

“While some organizations might feel pressured to let remote workers use these networks, others face challenges in enforcing restrictions despite having policies in place,” he said.

Mitigating Risks, Boosting Awareness

Caralis said to mitigate these risks, IT security teams should focus on key strategies like mobile device management (MDM), endpoint security and network access controls (NAC).

MDM helps ensure devices follow security protocols, such as using VPNs and encryption, while Endpoint security safeguards both corporate and personal devices from malware and other threats.

The use of NAC tools can help identify when employees are using public Wi-Fi and apply access restrictions or additional authentication, which greatly reduces risks associated with BYOD policies and enhances overall security.

Caralis said to boost mobile device security awareness and training, organizations should focus on engaging and interactive sessions that use real-world scenarios to teach users how to spot and avoid phishing attempts.

“It’s important to set up clear procedures for reporting suspicious messages and encourage quick action,” he added. “Keeping security awareness campaigns up to date is crucial to address new threats and reinforce best practices.”

Defending Against AI Deepfakes

To effectively prepare for and defend against advanced AI-driven threats including deepfakes and SMS phishing, organizations should adopt a multi-layered defense strategy.

“Start by investing in advanced AI detection tools and complement this with regular training programs that teach employees how to recognize and respond to deepfakes and AI-driven phishing schemes, using practical examples to boost awareness,” Caralis said.

Organizations should also implement strong verification processes, such as multi-factor authentication (MFA), to protect sensitive transactions.

“Keep up with the latest threat intelligence to adapt your defenses to emerging threats, and create a security-focused culture where employees feel empowered to question and report suspicious activities,” Caralis said. “By taking these steps, you can significantly enhance your resilience against the evolving landscape of AI-driven attacks.”