Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 PM
Connect Directly

Security Snapshot: OS, Authentication, Browser & Cloud Trends

New research shows cloud apps are climbing, SMS authentication is falling, Chrome is the enterprise browser favorite, and Android leads outdated devices.

As cloud and mobile adoption skyrocket, businesses seek new and stronger ways to protect applications and data. In some ways, many have grown smarter about data access and security. In others, research shows they still have some work to do.

The 2019 Duo Trusted Access Report amasses data from 24 million devices, 1 million applications and services, and 500 million authentications across North America and Western Europe to unearth trends in technology and cybersecurity. Its findings show a rise in Windows 10, greater biometric adoption, and an increasingly mobile workforce reliant on cloud. But researchers also found businesses running outdated operating systems and popular browsers.

Application integration is up across most key categories. The number of customers per cloud app is up 189% year-over-year, and the number of authentications per customer per app is up 56%. Remote access rose 89% as more people work outside the office but still need application access: Nearly half (45%) of requests for protected apps came from outside the organization.

The massive spike in cloud applications means any given employee has at least two or three cloud apps they use to do their jobs, says Wolfgang Goerlich, advisory CISO for Duo Security. "It was a big explosion of shadow IT," he adds. "It really got away from a lot of the organizations." Some people often use the same applications for personal and business use, driving the need for businesses to enforce their security policies for cloud-based applications and resources.

Inside Authentication Trends

SMS-based authentication has continued to fall. Less than 3% of businesses use SMS authentication in 2019, compared with 6% to 8% in 2016. At the same time, biometric authentication saw its fourth year of growth: 77% of devices scanned have configured biometrics including Apple Touch ID and Face ID, Android fingerprint scan, and Windows Hello.

"It's good to see where people have alternatives, they're using less direct SMS authentication," says Wendy Nather, director of advisory CISOs at Duo Security. While most businesses (68%) surveyed rely on Duo Push for primary authentication — researchers scanned Duo customers to collect their data — she notes it's interesting to look at secondary methods across industries.

The profiles and percentages of authentication methods tend to vary across different verticals depending on the circumstances, Nather continues. Heavily regulated areas such as the federal government are more likely to use a hardware token to establish trust, while phone calls are common among healthcare, higher education, and non-federal government organizations.

Hardware tokens are "generally still seen in high-discipline environments, where the risk case makes sense and where they can afford it," she explains, pointing to government and finance. Healthcare's reliance on phone calls "has a lot to do with the situation in healthcare institutions and clinics," she adds. "From a logistics point of view, it's easier for a doctor or nurse on staff to pick up a phone line rather than try to fumble for any number of mobile phones."

Businesses are tightening control on access from specific places. At least 3 million authentications have been denied in 2019 due to location restrictions, and 178 countries have denied access. The top five restricted locations are China, Russia, United States, India, and France. Duo says the US is the third most restricted location due to companies based outside the US not allowing authentication outside their home country.

More than half (51%) of companies using Duo have blocked at least one authentication from a restricted location. Other common enterprise policies include requiring users to have a screen lock (27%), disk encryption (22%), and disallowing access from anonymous IP addresses (20%).

OS and Browsers: Windows 10 Grows, Android Outdated

Since 2017, Windows 10 has grown from 48% to 66% adoption as Windows 7 has fallen from 44% to 29%. While Windows 7 is declining overall, some industries are still hanging on. Those fastest to adopt Windows 10 are wholesale and distribution (86%), business services (80%), and nonprofits (70%). Those still mostly relying on Windows 7 include transportation and storage (62%), computer and electronics (54%), and healthcare organizations (52%).

As work goes mobile, it's shifting the balance for OS popularity: Windows remains the dominant enterprise OS, but its usage fell 8% year-over-year to hit 47%. In the same time frame, iOS usage jumped 7% to hit 23%, and Android rose 2% to hit 10% usage. MacOS use fell by 1%, hitting 17%.

"When we see more adoption and more use of mobile devices, we may be seeing an ergonomic trend," Nather says of Apple device popularity. "When users have a choice of what device they're going to use on a particular task, this is what they tend to pick."

Android was the leader for out-of-date devices; 58% are not running the latest security patch. Overall, operating systems are more frequently updated in 2019 than in 2018, but Android continues to be the least updated, followed by macOS (51%), Chrome OS (39%), and iOS (38%).

Google Chrome is the most popular enterprise browser; Internet Explorer comes in last. A Chrome zero-day discovered in March 2019 has motivated businesses to improve browser security. Following its disclosure, Duo saw a 30x increase in denied authentications and 79% increase in policies limiting access to data and applications from the latest browser versions.

"What this says to me is organizations are using this as part of their incident response process," says Nather. "They were protecting themselves even if they couldn't control devices, and saying everyone has to update. It's a great step forward in terms of giving control back to CISOs."

Microsoft Edge is the most out-of-date browser, with 73% of devices running an outdated version. Internet Explorer is the most up-to-date version; however, since the latest version of IE was released in 2013, businesses still relying on it should consider switching to another browser. Still, as Nather points out, IE remains a "mainstay" in many organizations.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.