Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 PM
Connect Directly

Security Snapshot: OS, Authentication, Browser & Cloud Trends

New research shows cloud apps are climbing, SMS authentication is falling, Chrome is the enterprise browser favorite, and Android leads outdated devices.

As cloud and mobile adoption skyrocket, businesses seek new and stronger ways to protect applications and data. In some ways, many have grown smarter about data access and security. In others, research shows they still have some work to do.

The 2019 Duo Trusted Access Report amasses data from 24 million devices, 1 million applications and services, and 500 million authentications across North America and Western Europe to unearth trends in technology and cybersecurity. Its findings show a rise in Windows 10, greater biometric adoption, and an increasingly mobile workforce reliant on cloud. But researchers also found businesses running outdated operating systems and popular browsers.

Application integration is up across most key categories. The number of customers per cloud app is up 189% year-over-year, and the number of authentications per customer per app is up 56%. Remote access rose 89% as more people work outside the office but still need application access: Nearly half (45%) of requests for protected apps came from outside the organization.

The massive spike in cloud applications means any given employee has at least two or three cloud apps they use to do their jobs, says Wolfgang Goerlich, advisory CISO for Duo Security. "It was a big explosion of shadow IT," he adds. "It really got away from a lot of the organizations." Some people often use the same applications for personal and business use, driving the need for businesses to enforce their security policies for cloud-based applications and resources.

Inside Authentication Trends

SMS-based authentication has continued to fall. Less than 3% of businesses use SMS authentication in 2019, compared with 6% to 8% in 2016. At the same time, biometric authentication saw its fourth year of growth: 77% of devices scanned have configured biometrics including Apple Touch ID and Face ID, Android fingerprint scan, and Windows Hello.

"It's good to see where people have alternatives, they're using less direct SMS authentication," says Wendy Nather, director of advisory CISOs at Duo Security. While most businesses (68%) surveyed rely on Duo Push for primary authentication — researchers scanned Duo customers to collect their data — she notes it's interesting to look at secondary methods across industries.

The profiles and percentages of authentication methods tend to vary across different verticals depending on the circumstances, Nather continues. Heavily regulated areas such as the federal government are more likely to use a hardware token to establish trust, while phone calls are common among healthcare, higher education, and non-federal government organizations.

Hardware tokens are "generally still seen in high-discipline environments, where the risk case makes sense and where they can afford it," she explains, pointing to government and finance. Healthcare's reliance on phone calls "has a lot to do with the situation in healthcare institutions and clinics," she adds. "From a logistics point of view, it's easier for a doctor or nurse on staff to pick up a phone line rather than try to fumble for any number of mobile phones."

Businesses are tightening control on access from specific places. At least 3 million authentications have been denied in 2019 due to location restrictions, and 178 countries have denied access. The top five restricted locations are China, Russia, United States, India, and France. Duo says the US is the third most restricted location due to companies based outside the US not allowing authentication outside their home country.

More than half (51%) of companies using Duo have blocked at least one authentication from a restricted location. Other common enterprise policies include requiring users to have a screen lock (27%), disk encryption (22%), and disallowing access from anonymous IP addresses (20%).

OS and Browsers: Windows 10 Grows, Android Outdated

Since 2017, Windows 10 has grown from 48% to 66% adoption as Windows 7 has fallen from 44% to 29%. While Windows 7 is declining overall, some industries are still hanging on. Those fastest to adopt Windows 10 are wholesale and distribution (86%), business services (80%), and nonprofits (70%). Those still mostly relying on Windows 7 include transportation and storage (62%), computer and electronics (54%), and healthcare organizations (52%).

As work goes mobile, it's shifting the balance for OS popularity: Windows remains the dominant enterprise OS, but its usage fell 8% year-over-year to hit 47%. In the same time frame, iOS usage jumped 7% to hit 23%, and Android rose 2% to hit 10% usage. MacOS use fell by 1%, hitting 17%.

"When we see more adoption and more use of mobile devices, we may be seeing an ergonomic trend," Nather says of Apple device popularity. "When users have a choice of what device they're going to use on a particular task, this is what they tend to pick."

Android was the leader for out-of-date devices; 58% are not running the latest security patch. Overall, operating systems are more frequently updated in 2019 than in 2018, but Android continues to be the least updated, followed by macOS (51%), Chrome OS (39%), and iOS (38%).

Google Chrome is the most popular enterprise browser; Internet Explorer comes in last. A Chrome zero-day discovered in March 2019 has motivated businesses to improve browser security. Following its disclosure, Duo saw a 30x increase in denied authentications and 79% increase in policies limiting access to data and applications from the latest browser versions.

"What this says to me is organizations are using this as part of their incident response process," says Nather. "They were protecting themselves even if they couldn't control devices, and saying everyone has to update. It's a great step forward in terms of giving control back to CISOs."

Microsoft Edge is the most out-of-date browser, with 73% of devices running an outdated version. Internet Explorer is the most up-to-date version; however, since the latest version of IE was released in 2013, businesses still relying on it should consider switching to another browser. Still, as Nather points out, IE remains a "mainstay" in many organizations.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.