Hybrid work was supposed to be temporary. It was not. Years after the initial shift, the data is stable: knowledge workers permanently conduct significant portions of their professional lives on mobile devices, outside the enterprise perimeter, on personal networks, in personal contexts where corporate security tools have no reach. The security stack built for the corporate LAN is defending an office that no longer exists — while the attacks keep arriving at the address where the work actually happens.
-
The Permanent Shift to Mobile-First Work
Fifty-eight percent of American workers can work remotely at least part of the time (McKinsey Global Institute, 2023). Mobile devices now account for more than 60% of endpoint activity in most enterprise environments (Gartner, 2024). The smartphone is the primary device for communication, authentication, approvals, and real-time decision-making — functions that were once anchored to the desktop and the office network.
This is not a post-pandemic anomaly trending back toward baseline. Enterprise mobile software revenue is projected to reach $510 billion globally by 2030 (Grand View Research). The architecture of work has been reorganized around mobile. The security architecture protecting that work has largely not.
-
Corporate Data Now Lives Outside the Perimeter
Eighty-two percent of breaches involve data stored or processed in cloud or hybrid environments (Verizon Data Breach Investigations Report, 2024). The access paths into that data — MFA approvals, credential inputs, link clicks that initiate authentication flows — happen predominantly on mobile devices, often in off-hours personal contexts where the employee's guard is lower and corporate verification procedures are absent.
When an employee approves an MFA prompt on their personal phone at 8pm, no enterprise security tool is present at that interaction. When a smishing lure arrives in a personal messaging app, the email gateway does not see it. The perimeter-based security model assumes threats arrive at the edge. Mobile attacks arrive inside the employee's pocket, at the moment of lowest friction and highest trust.
-
Enterprise Security Spend Has Not Followed the Threat
Global enterprise security spending will exceed $215 billion in 2024 (Gartner). The majority remains directed at network security, server and desktop endpoint protection, and identity infrastructure — the tools built for the perimeter that no longer contains the work. Only 17% of organizations have specific controls against AI-assisted mobile attacks (Verizon Mobile Security Index, 2025). The average organization has a dedicated mobile security budget, but the tools being purchased are predominantly MDM — device management tools that do not address the human-layer threat.
The mobile security market is projected to grow from $8.9 billion in 2024 to $22.4 billion by 2029, at a compound annual rate of 14.8% (MarketsandMarkets, 2024). That growth reflects an awareness gap finally closing — organizations beginning to recognize that mobile is not just another endpoint category, but the primary surface where human-layer attacks now land.
-
The Organizations That Will Move First
Regulated industries — financial services, healthcare, defense contractors, critical infrastructure operators — are already facing regulatory pressure around mobile device security and data handling. The EU's NIS2 Directive and the SEC's updated cybersecurity disclosure rules have moved mobile risk from an operational question to a board-level disclosure obligation. Voluntary frameworks are being replaced by mandatory reporting timelines that do not accommodate 261-day detection windows.
Organizations that establish human-layer mobile defense before regulatory urgency or a public incident forces the conversation will have built institutional capability, vendor relationships, and response infrastructure that their peers will need to construct under pressure. The shift in the work surface is permanent. The security posture that matches it is still early.
