The Verizon 2026 Data Breach Investigation Report notes that users are 40% more likely to click on a phishing link via their cellular phones as opposed to via a computer. Securing the enterprise with this wildcard factor in play provides a challenge to organizations. On the one hand, cell phones are often utilized as a factor in authentication. On the other hand, users can be targeted through phone calls, text messages, personal apps and email, as well as via organizational apps, all on their personal device. Considering this threat vector, organizational policy and user training should answer the following questions:
- Are users allowed to access organizational data on their personal devices? On their cell phones? Which data?
- Are users trained on how to preview a link and to be suspicious of unexpected text or emailed links while using their cell phone?
- If a phishing reporting process is utilized, does that process work on cellular devices? Do users know how to report via their personal device/cell phone?
- Are users trained regarding current vishing (voice), smishing (text message) and social engineering techniques?
- Are users aware they may be targeted via their personal social media accounts?
- Does the school guest network block malicious domains? Are users aware that this protection exists if they connect to the guest network?
- Are users concerns about the organization “monitoring” their personal device addressed?
- Are users expected and trained to report a lost or stolen personal device, so their organizational accounts may be secured?
- Do organizational policy and acceptable use agreements reflect all of the above?
- Can any of the organizational policies related to accessing organizational content via a personal device be automated?
Personal and cellular devices may be targeted as a means of compromising user credentials or data. Keep this threat vector in mind when evaluating the current organizational threat landscape.
Reference
2026 Verizon Data Breach Investigation Report (To view the report without entering any information, click on View Only)