Irish businesses are facing a widening gap between their awareness of cyber threats and their actual defense strategies, as a surge in mobile-based attacks targets the shift toward flexible work. While anxiety over digital security is climbing, a significant number of organizations continue to leave the door open to attackers by allowing unrestricted access to corporate data via personal devices.
According to the Vodafone Business Cybersecurity Report, Vodafone found that 70 per cent of organizations are more concerned about security attacks on mobile devices than they were last year. This trend reflects a broader vulnerability in the Irish SME landscape, where the convenience of “Bring Your Own Device” (BYOD) policies often outweighs the implementation of rigorous security protocols.
The risk is not theoretical. Roughly a quarter of Irish companies reported experiencing a cybersecurity breach within the last year. This local trend mirrors a larger European crisis; data from the European Union Agency for Cybersecurity (ENISA) indicates that mobile-based attacks now account for more than 42 per cent of all cyber incidents across the EU over a 12-month period.
As a former software engineer, I have seen how the “friction” of security—multi-factor authentication, device enrollment, and restricted permissions—often leads employees to discover workarounds. In the current Irish corporate climate, that friction is being ignored, creating a systemic mobile threat to Irish companies that leverages the very tools meant to increase productivity.
The BYOD Vulnerability Gap
The primary driver of this instability is the disconnect between corporate policy and technical enforcement. Despite the rising fear of breaches, more than 40 per cent of Irish organizations still permit personal handsets to have unrestricted access to sensitive company resources, including internal emails, proprietary apps, and confidential documents.
This lack of oversight extends to the operational level. The report, which surveyed 300 Irish SMEs, revealed that 20 per cent of businesses failed to proactively monitor for security threats. Even more concerning is the human element: less than half of these companies have made cybersecurity training mandatory for their staff.
The transition to a hybrid workforce has accelerated this exposure. Data from the Central Statistics Office (CSO) shows that almost one million people in Ireland worked in remote or hybrid arrangements in 2025. While this flexibility has boosted employee satisfaction, it has decentralized the corporate perimeter, moving it from a controlled office network to a variety of unsecured home Wi-Fi connections and personal smartphones.
“With so many companies offering hybrid and remote working, employees are using their handsets to better manage their workload. Without enterprise software and sufficient mobile security awareness training, the risks this poses to companies are significant,” said Vodafone Ireland business director Jo Gilfoy.
Anatomy of the Modern Mobile Attack
Modern attackers are moving away from complex software exploits in favor of social engineering and identity theft. As personal devices often lack the robust endpoint protection found on company-issued laptops, they serve as an ideal entry point for infiltrating a wider corporate network.
The threats are diverse, ranging from automated malware to highly targeted psychological manipulation. Vodafone identified several primary vectors currently endangering Irish businesses:
- Communication Phishing: The use of WhatsApp and SMS (Smishing) to impersonate executives or vendors to steal credentials.
- Identity Hijacking: Including “Sim swap” attacks, where a criminal convinces a mobile carrier to transfer a victim’s phone number to a new SIM card to bypass two-factor authentication.
- Technical Exploits: Mobile malware and unpatched operating system vulnerabilities that allow silent data exfiltration.
- Network Attacks: Intercepting data via unsecured public Wi-Fi or “man-in-the-middle” attacks.
| Metric | Finding |
|---|---|
| Increased Concern vs Last Year | 70% |
| Unrestricted Personal Device Access | >40% |
| Lack of Proactive Threat Monitoring | 20% |
| Mandatory Security Training | <50% |
Why the Risk is Escalating Now
The “mobile threat to Irish companies” is not merely about the devices themselves, but the behavior of the users. In a remote-first environment, the smartphone becomes the primary workstation for many. When an employee checks a corporate email on a personal device that is also used for gaming, social media, and third-party apps, the attack surface expands exponentially.
Without Mobile Device Management (MDM) software, companies cannot “wipe” corporate data if a phone is lost or an employee leaves the company. This leads to “data leakage,” where sensitive client information remains on a device that is no longer under the company’s control.
Jo Gilfoy emphasized that the environment is becoming increasingly complex. “Irish companies must ensure their people are aware of the risks with mobile use inside and outside the workplace as they continue to navigate complex environments,” Gilfoy said.
For SMEs, the cost of a breach is often far higher than the cost of implementing security. Beyond the immediate financial loss, the reputational damage and potential GDPR fines from the Data Protection Commission can be catastrophic for smaller firms.
Next Steps for Organizational Defense
To mitigate these risks, security experts suggest moving toward a “Zero Trust” architecture, where no device is trusted by default, regardless of whether It’s inside or outside the office. This involves implementing strict identity verification and isolating corporate data from personal data on the same device—a process known as “containerization.”
The immediate priority for Irish firms is the closure of the training gap. When less than half of a workforce is trained in spotting a WhatsApp phishing attempt, the most expensive firewall in the world becomes irrelevant.
As the digital landscape evolves, the next critical checkpoint will be the updated guidance and reporting cycles from ENISA and the CSO, which will determine if the adoption of enterprise mobile security software is keeping pace with the rise in remote work trends through the end of 2025.
Do you use a personal device for work? Let us know in the comments how your company handles mobile security or if you’ve noticed an increase in phishing attempts.
