Why defending the device may no longer be the best mobile security strategy [Q&A]

Cybersecurity has historically been focused on protecting the endpoint device, whether desktop or mobile. But last year’s Verizon Mobile Security Index reports that 77 percent of organizations expect AI-assisted smishing attempts to succeed and 85 percent are seeing more mobile attacks.

We spoke to Matt Stern, CSO of Hypori, to discuss why he believes organizations are taking an entirely wrong approach by defending the device when attackers no longer need to target it.

BN: Why is relying on the security of the mobile device fundamentally incompatible with a true zero-trust model?

MS: For years, organizations have been conditioned to treat the mobile device as something that can be controlled if we just wrap enough management tools, antivirus, and policies around it. That thinking runs directly counter to zero trust.

A true zero-trust model starts with a simple premise: the endpoint is already compromised. Once you accept that, the entire security architecture shifts. Security becomes about eliminating exposure, not trying to tame a device you do not control.

And that means focusing on the only thing you can control: the data and access to the data. We can no longer rely on a perimeter or the health of a personal device. Instead, we must reduce the attack surface and protect proprietary, sensitive, and personal data with the highest possible level of care. In today’s mobile-first, AI-accelerated threat landscape, we must stop trusting the device and start securing the data.

BN: How is GenAI changing the speed and sophistication of mobile attacks, and what does that mean for organizations that still rely on device-centric defenses?

MS: GenAI has effectively compressed the entire attack lifecycle, from reconnaissance to weaponization, into minutes. What used to take months of proof-of-concept development, testing, and refinement is now automated. Attackers can generate, validate, and deploy mobile exploits at machine speed.
That’s a problem for organizations still trying to defend mobile endpoints the way they defended laptops a decade ago. You simply cannot patch or manage your way out of an attack surface that changes faster than human teams can respond.

AI-assisted smishing, deepfake voice calls, and synthetic identities are only the beginning. We’re also seeing AI used to probe device radios, analyze user behavior patterns, and tailor exploits dynamically. If your defense strategy relies on the health of the device, that it’s ‘clean,’ ‘managed,’ or ‘compliant,’ you’re standing on a foundation that AI erodes a little more every day.

BN: Verizon reports growing concern around smishing, but what emerging mobile attack vectors, such as NFC or Bluetooth exploitation, do you believe organizations are still overlooking?

MS: Smishing absolutely deserves attention, especially as AI tools make messages more convincing and more targeted. But the attacks CIOs should be losing sleep over are the ones their employees don’t see coming at all.

NFC and Bluetooth exploitation are two perfect examples. If a device has radios enabled, and most do, an attacker can compromise it simply by being physically near the user. Tools for probing Bluetooth and NFC ecosystems are getting cheaper and easier to operate, which lowers the barrier to entry.

More concerning are attacks like Herodotus, which target the behavior of the operating system itself. These bypass traditional mobile protections entirely. You can have a fully managed device, with an MDM profile and endpoint agent, and still be wide open to an OS-level or firmware-level exploit.

Organizations are so focused on phishing that they are missing the bigger trend: the move toward invisible, device-level compromise that the user cannot detect and the enterprise cannot control.

BN: If organizations accept that devices can no longer be trusted components in the security chain, what principles should guide a modern, zero-trust-aligned mobility strategy?

MS: If the device can’t be trusted, and at this point, it shouldn’t be, the strategy must shift from device security to data security and architectural isolation. A modern mobile security strategy should be grounded in four principles:

• Assume compromise: Design the system to minimize risk and prevent data exposure at every layer of the security architecture.
• Eliminate local data: If sensitive data never resides on the device, then device compromise doesn’t equal enterprise compromise.
• Segregate personal and enterprise use: Employees will continue to load personal apps, which means organizations must ensure those apps cannot access corporate data or metadata.
• Minimize the attack surface: The fewer enterprise resources exposed to the physical device, the fewer things an attacker can successfully target.

Instead of conditioning security on the health of a personal smartphone, organizations should architect mobility so that a compromised phone is merely an inconvenience, not a breach.

BN: What does a ‘data-first, device-agnostic’ security model look like in practice, and how can it help organizations reduce exposure when mobile devices are compromised?

MS: A data-first, device-agnostic model begins by rejecting the false assumption that data must live on the mobile device. In practice, this means:

• The device never stores enterprise data.
• The device never directly touches enterprise back-end systems.
• The enterprise controls the data environment, not the physical handset.
• Even if malware, spyware, or OS-level compromise occurs, attackers cannot reach enterprise resources because nothing valuable resides on the device.

This approach dramatically reduces exposure. If a mobile device is breached, the attacker gains nothing beyond the user’s personal apps and personal data. The corporate environment remains isolated, insulated, and uncompromised.

We’ve spent decades trying to make mobile devices safer. The truth is that the most secure mobile strategy is the one that stops relying on the device at all.

Image credit: Sasinparaksa/Dreamstime.com