Published today by Cisco’s Duo Security, the fourth annual Duo Trusted Access Report analyzes the security state of thousands of the world’s largest and fastest-growing organizations. The report examines 24 million devices used for work and half-a-billion user access requests per month to more than 1 million corporate applications and resources that Duo protects, based on de-identified and aggregated data from Duo’s 15,000 customers.
Soaring cloud and mobile use has resulted in 45 percent of requests to access protected apps coming from outside business walls, according to Duo data. To reduce the risk of breach amid this shift, organizations of all sizes are enforcing security controls that establish user and device trust before granting access to applications, known as zero-trust security for the workforce. These include strengthening user authentication, requiring screenlocks and disc encryption, disallowing devices with out-of-date browsers and operating systems, or blocking anonymous IP addresses, among other steps. Organizations are even using zero-trust tactics to quickly mitigate threats posed by zero-day vulnerabilities.
“For years, security teams have had little visibility into the cloud applications users were accessing and the personal devices they were using,” said Wendy Nather, Head of Advisory CISOs at Duo. “The findings in this report make clear that security leaders are taking back control of these apps and devices thanks to a zero-trust approach to security. This approach, in many cases, even allows organizations to adapt quickly to pending threats.”
Report highlights also include:
Your workforce is now mobile - A third of all work is now done on a mobile device, a 10 percent increase year-over-year. Without proper protections, such as strong user authentication and device hygiene checks, accessing business applications from mobile devices can increase exposure to threats that exploit user identities.
Passwords... the end is nigh! Organizations are increasingly adopting the use of biometric sensors to verify user identity, paving the way for a passwordless future. 77 percent of mobile devices used in business have biometrics configured, a 10 percent increase over the past four years.
Not today, zero-day - In March 2019, Google discovered a zero-day vulnerability in its Chrome web browser that could allow an attacker to compromise major operating systems. Google quickly released a patch, which required users to update Chrome to the latest version. Subsequently, Duo saw a 79 percent increase in the number of customers who blocked access to data and applications from out-of-date browsers, thereby protecting themselves from the vulnerability until users updated Chrome.
Apple eats away at Windows; Chrome reigns - Together, Mac OS and iOS now comprise 40 percent of the devices used for work, while Windows’ share of devices dropped 8 percent from the year prior. On the browser side, Chrome makes up 48 percent of business browser share, an 8 percent increase year-over-year, resulting in stronger security hygiene overall for organizations.
An update a day keeps the hacker at bay - While Android devices continue to be the most frequently out-of-date, overall, out-of-date devices across all operating systems have dropped precipitously in the past year, making them less susceptible to malware and improving organizational security health.
Healthcare slow to adopt Windows 10 - The Windows-dominated sector has 56 percent of Windows devices still running an outdated operating system. Healthcare uses internet-connected devices and software that aren’t always designed or updated by vendors to run the latest Windows OS, leaving them more vulnerable to malware such as WannaCry.
SMS authentication extinct? Enterprises are well-aware of the security risks posed by SMS-based MFA. SMS passcode comprises only 2.8 percent of total Duo user authentications, compared to 68 percent for Duo Push. Heavily regulated industries, such as Federal Government, overwhelmingly prefer traditional hardware tokens because of regulatory requirements.