The Verizon Mobile Security Index is the industry's most focused annual study on enterprise mobile risk. Now in its eighth edition, it surveys security leaders across hundreds of organizations globally — asking not just whether mobile threats are real, but what is actually failing in the way organizations respond to them. The 2024 and 2025 editions document a consistent pattern: mobile is now the primary enterprise attack surface, the attacks are working, and the tools most organizations rely on are not built to stop them.
-
Mobile Is Now the Primary Enterprise Attack Surface
Eighty-five percent of organizations report that mobile device attacks are on the rise — a finding that holds regardless of the organization's size, location, or industry. Eighty percent describe mobile as critical to their operations. Yet 53% have already experienced a mobile security incident that caused data loss or system downtime. That number rose sharply in 2025: 63% of organizations experienced major operational downtime from mobile security incidents, up from 47% the year before — a 16-point increase in a single year.
Verizon's VP of Global Cybersecurity Solutions, Chris Novak, frames it directly: "Mobile security is no longer a perimeter defense, but a battle fought in the palm of every employee's hand." The data supports him. Mobile is where the attacks are landing. Mobile is where the incidents are happening. And mobile is where organizations are most exposed.
-
Smishing Works — Employees Click at Alarming Rates
Verizon's smishing simulation data is one of the most striking findings in the report. Among organizations that ran smishing simulation tests, 39% found that up to half of their employees clicked on a malicious link. Employees are 6 to 10 times more likely to engage with SMS phishing than with equivalent email phishing — a gap that reflects the fundamentally different context of mobile: personal device, personal messaging app, off-hours, no IT oversight visible.
Approximately 70% of all mobile phishing attacks occur through smishing. Nineteen percent of all enterprise breaches originate from smishing or vishing. These are not edge cases. They are the primary threat vector — and they are delivered to a surface that most enterprise security stacks cannot observe.
-
MDM Gives Organizations False Confidence
Sixty-seven percent of organizations describe their current mobile security measures as "very effective." The incident data tells a different story. Eighty-nine percent have a dedicated mobile security budget. Seventy-five percent increased it. Yet incident rates and severity are still rising year-over-year. The spending is not closing the gap because the tools being purchased are not designed for the threat.
MDM manages device policy. It cannot govern unmanaged BYOD devices — which account for 46% of compromised systems holding corporate credentials. Seventy percent of mobile cyberattacks in 2025 targeted personal phones, not managed corporate devices. MDM sees nothing there. Only 17% of organizations have implemented specific controls against AI-assisted mobile attacks. Only 12% have deployed safeguards against deepfake manipulation. The gap is not budget. The gap is in the human layer — the place between the device and the decision — where MDM has never operated.
-
What Factor MTAD Does Differently
MDM manages the device. MTAD defends the person. It operates on both managed and BYOD devices, detecting smishing lures, malicious apps, and vishing attempts in real time — without inspecting personal content or requiring invasive surveillance. It works in the context where attacks actually arrive: the messaging thread, the incoming call, the app that requests permissions it should not have.
The Verizon data shows that organizations implementing all mobile security best practices are half as likely to experience breach-related downtime and less than one-fifth as likely to face major operational repercussions. MTAD is the human-layer control that completes the stack — the capability that MDM was never designed to provide, applied to the surface where attacks are actually landing.
