COMMENTARY: A single cellphone call last September to the IT help desk at MGM Resorts unleashed chaos that would cost the company more than $100 million.
The attackers, posing as a frustrated employee, convinced the help desk to reset credentials on the mobile device. Within hours, they had penetrated MGM's entire network and wreaked havoc.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Within days, hotel doors stopped working, slot machines went dark, and the Las Vegas strip giant found itself crippled by a breach that started with something most organizations don't even classify as an endpoint: a mobile phone.
While security leaders obsess over laptop endpoints and network perimeters, they overlook the computers in their employees' pockets—computers that often have more access to sensitive corporate data than any laptop. This isn't just a gap in security—it's a chasm waiting to swallow organizations whole.
Mobile threats are rapidly evolving
What makes this oversight particularly dangerous is the rapid evolution of mobile threats. The MGM attack stands as the most visible example of what happens when we ignore this growing threat of mobile device security. This wasn't just a lucky break for criminals—it was an inevitable exploitation of a glaring vulnerability in our cybersecurity approach.
We're witnessing the same pattern that transformed ransomware from a novelty into a billion-dollar criminal industry. Mobile attacks often exploit legitimate channels—app stores, system updates, or seemingly innocent applications. Attackers can compromise a mobile device through WhatsApp, SMS, email, or even a malicious Wi-Fi network. Each attack vector bypasses traditional security controls while exploiting the trusted access these devices have to corporate resources.
Furthermore, advanced mobile spyware, once the exclusive domain of nation-states, has increasingly appeared in commercial settings. Tools like Pegasus, which can silently compromise a device through a simple text message, have already been found targeting corporate executives. The more accessible Hermit and Predator variants are showing up in criminal marketplaces, offering capabilities that would have been considered science fiction just a few years ago.
Consider this: the same phone that an executive uses to approve million-dollar transactions might get infected from their teenager downloading a compromised game. The device that holds the company’s customer database might run spyware from a malicious ad click. Unlike traditional endpoints, mobile devices blur the lines between personal and professional use in ways that make traditional security models obsolete.
The situation becomes even more complex when we consider modern privacy regulations. Under laws like the California Consumer Privacy Act (CCPA), employees have the right to refuse device inspection—even if their phone contains sensitive corporate data. This creates an impossible situation for security teams– they're responsible for protecting corporate data on devices they legally cannot inspect or control.
Expand the definition of endpoints
The numbers tell a startling story: 82% of organizations now permit bring your own device (BYOD) programs, with employees spending over three hours daily conducting business on mobile devices. More critically, 67% of employees regularly access sensitive corporate data through personal phones. Yet, only 41% of organizations have implemented comprehensive mobile device management tools.
Organizations must start by explicitly defining mobile devices as critical endpoints in their security frameworks and policies. This isn't merely a documentation exercise—it's a crucial first step that drives resource allocation, attention, and investment in mobile security. These framework updates must establish clear mobile-specific security baselines that account for the unique challenges of BYOD scenarios while creating incident response procedures that respect modern privacy regulations.
This approach requires a fundamental reimagining of what we consider an endpoint. On the technical front, organizations need to embrace a zero-trust architecture that treats mobile devices as untrusted by default. This approach acknowledges the reality that these devices regularly move between secure and insecure networks while accessing sensitive corporate resources.
Policy evolution must keep pace with these technical controls. Organizations need to revisit their BYOD agreements, clearly defining security requirements while respecting an employee’s privacy boundaries. This includes developing comprehensive mobile-specific security training programs that educate employees about the unique risks of their mobile devices. Companies must establish privacy-aware incident response procedures before a crisis hits, ensuring organizations can respond effectively to mobile-related breaches while staying within regulatory boundaries.
The mounting cost of inaction
Today, an employee’s cellphone is as much a computer as any laptop—and often a more valuable target. It's time our security frameworks reflected this truth. Otherwise, we're just waiting for the next breach to prove what we already know: mobile devices are endpoints, and pretending otherwise stands as corporate malpractice.
We have a clear choice: Act now to close this security gap. Or, wait until a breach forces the company’s hand. By then, it’s too late.
Rocky Cole, chief operating officer, iVerify
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
