Mobile devices are everywhere. Pew Research Center stated in 2016 that 72 percent of U.S adults reported owing a smartphone, and many of these adults now leverage their personal technology at work. For enterprises, developers and security firms, this demands an increased focus on security to meet emerging threats — but this isn’t a static environment.

As IT professionals and white hats push back, malicious actors are developing new ways to infiltrate, infect and compromise devices. Here’s a look at the current state of mobile security.

The Changing Mobile Security Landscape

The only constant in security? Change. CSO Online noted the rapid uptake of smartphones and tablets has significantly increased total attack surface: According to Scott Simkin, senior threat intelligence manager of Palo Alto Networks, “it has now been multiplied by a factor of 100 or 1,000 by the sheer number of vulnerable applications and devices that the attacker is able to leverage.”

Speaking of applications, cybercriminals are also changing their tactics to target app developers rather than end users. Why? Because the result is even better for the bad guys. If fraudsters can infect code under development and pass their malware unnoticed until apps go live, they get access to a huge pool of potential victims.

What’s more, increasingly tech-smart employees are finding new ways to evade IT controls and either jailbreak devices or side-load applications they want but which don’t pass corporate security checks. Bottom line? Changing attack surface size, threat vectors and internal actions have conspired to alter the mobile landscape.

Challenging the Status Quo

Corporate-enabled mobile devices offer significant gains, with 26 percent of companies able to link mobile initiatives with revenue increases and one quarter identifying cost savings thanks to mobile deployments. But long-term success demands recognition of new challenges that impact the design and efficacy of mobile security.

For example, organizations must identify how sensitive data is stored, transmitted and used — for example, are employees accessing corporate networks through insecure Wi-Fi connections or using devices that haven’t been properly updated? They also have to design policies that address these concerns.

Another challenge is the rise of the Internet of Things (IoT). While not all IoT devices are mobile, all mobile devices are part of the larger IoT ecosystem. If infected and placed under attacker control, even seemingly benign smartphones or tablets could become part of a botnet or used as jumping-off points for distributed denial-of-service (DDoS) attacks.

The Consumer Mindset

Perhaps the biggest shift in mobile comes from the consumer mindset. TechTarget noted one of the biggest problems companies face is the inability to recognize that they don’t own mobile — not in the same way they own server hardware, software or other network-connected devices. Mobile is first and foremost a consumer environment, and corporate users carry this mindset with them no matter how, when or why they’re accessing data.

While organizations are embracing the need for better employee education, this isn’t enough, even when combined with solid mobile device management (MDM). Despite common wisdom, the biggest threats to corporate networks come from employees, and rigorous and repeated training is required to effectively mitigate this threat.

Managing the consumer mindset also requires companies to start treating mobile devices like any other corporate asset. This means performing regular risk assessments and implementing access, identity and authentication controls to limit the change of accidental data leakage or network infection.

So what’s the state of mobile security? Constantly changing, always challenging and now informed by the consumer mindset. To stay safe companies must adopt new strategies, adapt current defenses and address internal risk.