Businesses worldwide are gaining control of previously unmonitored and unsupported cloud applications and devices, known as shadow IT, that lurk in their IT environments, according to the 2019 Duo Trusted Access Report.
The average number of organisations protecting cloud apps with Duo surged 189% year-over-year, indicating that enterprises are catching up with the explosion of cloud use and shadow IT in the workplace. In addition, the frequency of out-of-date devices has dropped precipitously, hardening organisations against malware.
Published today by Cisco’s Duo Security, the fourth annual Duo Trusted Access Report analyses the security state of thousands of the world’s largest and fastest-growing organisations.
The report examines 24 million devices used for work and half-a-billion user access requests per month to more than 1 million corporate applications and resources that Duo protects, based on de-identified and aggregated data from Duo’s 15,000 customers.
Soaring cloud and mobile use has resulted in 45% of requests to access protected apps coming from outside business walls, according to Duo data. To reduce the risk of breach amid this shift, organisations of all sizes are enforcing security controls that establish user and device trust before granting access to applications, known as zero-trust security for the workforce.
These include strengthening user authentication, requiring screenlocks and disc encryption, disallowing devices with out-of-date browsers and operating systems, or blocking anonymous IP addresses, among other steps. Organisations are even using zero-trust tactics to quickly mitigate threats posed by zero-day vulnerabilities.
“For years, security teams have had little visibility into the cloud applications users were accessing and the personal devices they were using,” said Wendy Nather, Head of Advisory CISOs at Duo. “The findings in this report make clear that security leaders are taking back control of these apps and devices thanks to a zero-trust approach to security. This approach, in many cases, even allows organisations to adapt quickly to pending threats.”
Report highlights also include:
Your workforce is now mobile – A third of all work is now done on a mobile device, a 10% increase year-over-year. Without proper protections, such as strong user authentication and device hygiene checks, accessing business applications from mobile devices can increase exposure to threats that exploit user identities.
Passwords… the end is nigh! Organisations are increasingly adopting the use of biometric sensors to verify user identity, paving the way for a passwordless future. A total of 77% of mobile devices used in business have biometrics configured, a 10% increase over the past four years.
Not today, zero-day – In March 2019, Google discovered a zero-day vulnerability in its Chrome web browser that could allow an attacker to compromise major operating systems. Google quickly released a patch, which required users to update Chrome to the latest version. Subsequently, Duo saw a 79% increase in the number of customers who blocked access to data and applications from out-of-date browsers, thereby protecting themselves from the vulnerability until users updated Chrome.
Apple eats away at Windows; Chrome reigns – Together, Mac OS and iOS now comprise 40% of the devices used for work, while Windows’ share of devices dropped 8% from the year prior. On the browser side, Chrome makes up 48% of business browser share, an 8% increase year-over-year, resulting in stronger security hygiene overall for organisations.
An update a day keeps the hacker at bay – While Android devices continue to be the most frequently out-of-date, overall, out-of-date devices across all operating systems have dropped precipitously in the past year, making them less susceptible to malware and improving organisational security health.
Healthcare slow to adopt Windows 10 – The Windows-dominated sector has 56% of Windows devices still running an outdated operating system. Healthcare uses internet-connected devices and software that aren’t always designed or updated by vendors to run the latest Windows OS, leaving them more vulnerable to malware such as WannaCry.
SMS authentication extinct? Enterprises are well-aware of the security risks posed by SMS-based MFA. SMS passcode comprises only 2.8% of total Duo user authentications, compared to 68% for Duo Push. Heavily regulated industries, such as Federal Government, overwhelmingly prefer traditional hardware tokens because of regulatory requirements.
These are just a few of the highlights in the Duo Trusted Access Report, there are many more. To download the full report, please visit https://duo.sc/tar-2019.