How Mobile Threats Are Targeting SMEs

How hybrid work is reshaping cybersecurity priorities

By Jamie Akhtar

Hybrid working is now firmly embedded in how many businesses operate. In fact, research shows that in 2023 over 80% of organisations had a hybrid working model in place, in varying degrees of formality. For small and medium-sized enterprises (SMEs), this shift has brought advantages such as access to a wider talent pool, reduced overheads, and improved flexibility for staff.

Remote working also allows employees to access systems and data from anywhere, encouraging collaboration and increasing efficiency. However, this flexibility introduces new cybersecurity challenges. One of the most pressing is the rise of Bring Your Own Device (BYOD) in the workplace.

The Hidden Risk of BYOD

BYOD refers to staff using their personal phones, tablets, or laptops for work-related tasks. While this can reduce hardware spending and streamline operations, it also opens the door to cyber threats, especially when it comes to mobile phones.

Many organisations rely on employees to use their mobile phones for business, yet do not provide company-issued devices. In these cases, personal smartphones are used to send emails, access internal systems, and store sensitive data. Without the right protections in place, these devices can pose a serious security risk.

Mobile Malware on the Rise

Traditionally, cybersecurity concerns have focused on desktop computers and internal networks. But smartphones are now just as vulnerable. Mobile malware, malicious software designed to target smartphones and tablets, is increasingly being used by cybercriminals to gain access to corporate data.

This malware can take many forms, including viruses, spyware, ransomware, and Trojans. It is often hidden in seemingly harmless apps, disguised in phishing emails, or embedded in malicious links. Once a device is infected, attackers can steal sensitive information, spy on activity, or even take control of the device.

Although iPhones tend to have stronger built-in protections than Android devices, neither system is completely immune. A compromised mobile phone can result in operational disruption, reputational damage, and potential legal consequences. Keeping devices updated and applying security patches as soon as they are released is a critical line of defence.

SMEs and the Policy Gap

Many SMEs do not have clear policies in place to govern the use of personal devices for work. Company-issued devices usually follow strict security protocols, but personal devices often fall outside of these controls. This creates a significant blind spot.

Research shows that 39% of SMEs do not have a code of conduct in place for employees using their own devices for work. Even more concerning, 59% of SMEs offer no training at all on mobile phone security. This lack of structure increases the likelihood of risky behaviour, such as connecting to public WiFi without using a Virtual Private Network (VPN), charging devices at unsecured public stations, forwarding company data to personal email accounts, or storing passwords without encryption.

These behaviours often go unnoticed until something goes wrong. Without a formal policy or employee training, businesses are exposed to unnecessary risk.

Simple Steps to Improve Mobile Security

Improving mobile security doesn't have to be expensive or overly complex. The first step is to put a clear BYOD policy in place. This should explain what is expected of staff when using personal devices for work and include guidance around using secure connections, keeping software up to date, and managing sensitive data responsibly.

Training is equally important. Even a basic level of cybersecurity awareness can make a difference. Recent research has revealed that, after completing training, phishing click rates fall on average by 40% in three months and 86% after a year. Employees should understand how to recognise phishing emails, avoid suspicious apps and websites, and use VPNs when connecting to the internet on the move. Training should also highlight good cyber hygiene practices that apply both in and out of work, as personal devices are often used across both contexts.

Strong passwords remain a crucial line of defence. Encourage employees to use long, unique passwords made up of a mix of letters, numbers, and special characters. Where possible, multi-factor authentication (MFA) should be required, adding an extra layer of protection by asking for more than just a password to access systems.

Staff should also be advised to only download apps from official sources like the Apple App Store or Google Play, and to be cautious about clicking links or opening attachments from unknown senders.

Finally, businesses should ensure that mobile devices used for work have appropriate security software installed. This software can help detect threats, block access to harmful sites, and provide real-time protection against suspicious activity.

Now Is the Time to Act

Cyber threats are becoming more sophisticated and more frequent. As more businesses embrace hybrid working and look to control costs, BYOD is likely to become even more common. But this shift must be matched with robust security planning.

Personal devices are now a core part of how many people work. They need to be treated with the same level of care and protection as any other company-owned equipment. By introducing a clear code of conduct, offering practical training, and implementing essential security measures, SMEs can significantly reduce their exposure to mobile threats - and help protect their people, data and reputation in the process.

About the author

Jamie Akhtar is Co-Founder and CEO at CyberSmart. Prior to founding CyberSmart, Jamie served as the CTO of several organisations and wears a white hat as an ethical hacker. As CEO of CyberSmart, a venture-capital backed cyber security startup, Jamie’s mission is to provide automated compliance solutions for SMEs.