As cloud and mobile adoption skyrocket, companies are seeking new and stronger ways to protect applications and data. . In some ways, many have become smarter about data access and security. In others, research shows that they still have some work to do.
The 2019 Duo Trusted Access Report gathers data from 24 million units, 1 million applications and services, and 500 million approvals across North America and Western Europe to uncover technology and cyber security trends. Its findings show an increase in Windows 1
Program integration is up across most important categories. The number of customers per cloud app is up 189% year-round, and the number of approvals per customer per app is up 56%. The remote access rose 89% as more people work outside the office but still need application access: Nearly half (45%) of requests for protected apps came from outside the organization.
The massive tip of cloud applications means that every employee has at least two or three cloud apps they use to do their jobs, says Wolfgang Goerlich, advisory CISO for Duo Security. "It was a huge explosion of shadow IT," he adds. "It really got away from many organizations." Some often use the same applications for personal and business use, and drive the need for businesses to enforce their security policies for cloud-based applications and resources.
In Authentication Trends
SMS-based authentication has continued to fall. Less than 3% of companies use SMS authentication in 2019, compared to 6% to 8% in 2016. At the same time, biometric authentication saw its fourth year of growth: 77% of scanned devices have configured biometrics including Apple Touch ID and Face ID, Android fingerprint scanning, and windows hi.
"It's good to see where people have options, they use less direct SMS authentication," says Wendy Nather, CISO Advisory Director at Duo Security. While most businesses (68%) investigated rely on the Duo Push for primary authentication, researchers have scanned Duo customers to collect their data – she notes it's interesting to look at secondary industries across industries.
Profiles and percentages of authentication methods tend to vary over different verticals, depending on the circumstances, Nather continues. Highly regulated areas such as the federal government are more likely to use a hardware token to establish trust, while telephone calls are common among healthcare, higher education, and non-federal government organizations.
Hardware tokens are "usually still seen in high-discipline environments, where the risk cause makes sense and where they can afford it," she explains, pointing to the government and the economy. The healthcare sector relies on phone calls "has a lot to do with the situation in healthcare facilities and clinics," she adds. "From a logistics point of view, it is easier for a doctor or nurse to pick up a telephone line instead of fumbling for a number of mobile phones."
Businesses reinforce control of access from specific locations. At least 3 million authentications have been denied in 2019 due to location restrictions, and 178 countries have denied access. The five largest areas are China, Russia, USA, India and France. Duo says the US is the third most limited place because of companies outside the United States that do not allow approval outside of their home country.
More than half (51%) of companies that use Duo have blocked at least one approval from a limited site. Other common business policies include users having a screen lock (27%), disk encryption (22%), and allowing access from anonymous IP addresses (20%).
OS and browsers: Windows 10 grows, Android outdated
Since 2017, Windows 10 has grown from 48% to 66% adoption as Windows 7 has fallen from 44% to 29%. While Windows 7 is collapsing, there are still some industries that are doing. The fastest to adopt Windows 10 is wholesale and distribution (86%), business services (80%) and non-profit organizations (70%). Those who still rely on Windows 7 include transportation and storage (62%), computer and electronics (54%) and healthcare organizations (52%).
When work goes mobile, it shifts the balance of OS popularity: Windows remains the dominant business OS, but its usage fell 8% year on year to hit 47%. In the same timeframe, iOS usage jumped 7% to hit 23%, and Android rose 2% to hit 10% usage. MacOS use fell by 1% and hit 17%.
"When we see more adoption and more use of mobile devices, we might see an ergonomic trend," says Nather about the Apple device's popularity. "When users have a choice of which device to use for a particular task, this is what they tend to choose. "
Android was the head of outdated devices; 58% didn't run the latest security update. Overall, the operating systems are updated in 2019 than in 2018, but Android continues to be at least updated, followed by macOS (51%) , Chrome OS (39%) and iOS (38%).
Google Chrome is the most popular corporate web browser; Internet Explorer comes in last. A zero day in Chrome discovered in March 2019 has motivated businesses to improve browser security After the disclosure, the Duo saw a 30x increase in denied approvals and a 79% increase in policies restricting access to data and applications from the latest browser versions.
"What this says to me is that organizations use this as a part of their event response process, says Nather. "They were protecting themselves even though they couldn't control devices and said everyone had to update. It's a great step forward in giving back control to CISOs."
Microsoft Edge is the most outdated browser, with 73% of the devices running an outdated version. Internet Explorer is the most updated version; But since the latest version of IE was released in 2013, businesses that still rely on it should consider switching to another browser. Yet, as Nather points out, IE remains a "supporter" in many organizations.
Black Hat USA returns to Las Vegas with practical technical trainings, innovative Briefings, Arsenal open-air demonstrations source code, top security solutions and service providers in the business hall. Click for information about the conference and register.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cyber security news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … See full bio