As cloud and mobile adoption skyrocket, businesses seek new and stronger ways to protect applications and data. In some ways, many have grown smarter about data access and security. In others, research shows they still have some work to do.
The 2019 Duo Trusted Access Report amasses data from 24 million devices, 1 million applications and services, and 500 million authentications across North America and Western Europe to unearth trends in technology and cybersecurity. Its findings show a rise in Windows 10, greater biometric adoption, and an increasingly mobile workforce reliant on cloud. But researchers also found businesses running outdated operating systems and popular browsers.
Application integration is up across most key categories. The number of customers per cloud app is up 189% year-over-year, and the number of authentications per customer per app is up 56%. Remote access rose 89% as more people work outside the office but still need application access: Nearly half (45%) of requests for protected apps came from outside the organization.
The massive spike in cloud applications means any given employee has at least two or three cloud apps they use to do their jobs, says Wolfgang Goerlich, advisory CISO for Duo Security. “It was a big explosion of shadow IT,” he adds. “It really got away from a lot of the organizations.” Some people often use the same applications for personal and business use, driving the need for businesses to enforce their security policies for cloud-based applications and resources.
Inside Authentication Trends
SMS-based authentication has continued to fall. Less than 3% of businesses use SMS authentication in 2019, compared with 6% to 8% in 2016. At the same time, biometric authentication saw its fourth year of growth: 77% of devices scanned have configured biometrics including Apple Touch ID and Face ID, Android fingerprint scan, and Windows Hello.
“It’s good to see where people have alternatives, they’re using less direct SMS authentication,” says Wendy Nather, director of advisory CISOs at Duo Security. While most businesses (68%) surveyed rely on Duo Push for primary authentication — researchers scanned Duo customers to collect their data — she notes it’s interesting to look at secondary methods across industries.
The profiles and percentages of authentication methods tend to vary across different verticals depending on the circumstances, Nather continues. Heavily regulated areas such as the federal government are more likely to use a hardware token to establish trust, while phone calls are common among healthcare, higher education, and non-federal government organizations.
Hardware tokens are “generally still seen in high-discipline environments, where the risk case makes sense and where they can afford it,” she explains, pointing to government and finance. Healthcare’s reliance on phone calls “has a lot to do with the situation in healthcare institutions and clinics,” she adds. “From a logistics point of view, it’s easier for a doctor or nurse on staff to pick up a phone line rather than try to fumble for any number of mobile phones.”
Businesses are tightening control on access from specific places. At least 3 million authentications have been denied in 2019 due to location restrictions, and 178 countries have denied access. The top five restricted locations are China, Russia, United States, India, and France. Duo says the US is the third most restricted location due to companies based outside the US not allowing authentication outside their home country.
More than half (51%) of companies using Duo have blocked at least one authentication from a restricted location. Other common enterprise policies include requiring users to have a screen lock (27%), disk encryption (22%), and disallowing access from anonymous IP addresses (20%).
OS and Browsers: Windows 10 Grows, Android Outdated
Since 2017, Windows 10 has grown from 48% to 66% adoption as Windows 7 has fallen from 44% to 29%. While Windows 7 is declining overall, some industries are still hanging on. Those fastest to adopt Windows 10 are wholesale and distribution (86%), business services (80%), and nonprofits (70%). Those still mostly relying on Windows 7 include transportation and storage (62%), computer and electronics (54%), and healthcare organizations (52%).
As work goes mobile, it’s shifting the balance for OS popularity: Windows remains the dominant enterprise OS, but its usage fell 8% year-over-year to hit 47%. In the same time frame, iOS usage jumped 7% to hit 23%, and Android rose 2% to hit 10% usage. MacOS use fell by 1%, hitting 17%.
“When we see more adoption and more use of mobile devices, we may be seeing an ergonomic trend,” Nather says of Apple device popularity. “When users have a choice of what device they’re going to use on a particular task, this is what they tend to pick.”
Android was the leader for out-of-date devices; 58% are not running the latest security patch. Overall, operating systems are more frequently updated in 2019 than in 2018, but Android continues to be the least updated, followed by macOS (51%), Chrome OS (39%), and iOS (38%).
Google Chrome is the most popular enterprise browser; Internet Explorer comes in last. A Chrome zero-day discovered in March 2019 has motivated businesses to improve browser security. Following its disclosure, Duo saw a 30x increase in denied authentications and 79% increase in policies limiting access to data and applications from the latest browser versions.
“What this says to me is organizations are using this as part of their incident response process,” says Nather. “They were protecting themselves even if they couldn’t control devices, and saying everyone has to update. It’s a great step forward in terms of giving control back to CISOs.”
Microsoft Edge is the most out-of-date browser, with 73% of devices running an outdated version. Internet Explorer is the most up-to-date version; however, since the latest version of IE was released in 2013, businesses still relying on it should consider switching to another browser. Still, as Nather points out, IE remains a “mainstay” in many organizations.
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio