The rapid, and in some cases permanent, shift to remote work forced organizations to swiftly adopt cloud services and rethink how they protect corporate data. Researchers report spikes in cloud application authentication, devices with biometrics enabled, and device-based policies.
Dave Lewis, global advisory CISO for Cisco's Duo Security, elaborates on shifts in organizations' authentication choices. More than 80% of active customer devices have biometrics enabled, and total devices with biometrics rose 64%. At the same time, the number of companies with policies to disallow SMS-based authentication increased by 7.4%, marking an 85% increase in the number of businesses banning SMS as an authentication method between 2019 and 2020.
"It's definitely been a push this year, and I think a lot of that is driven out of the fact that we have so many organizations being remote now and for the foreseeable future – for the next year or so at least – and they're taking time to reassess where they are," Lewis explains. CISOs have shifted away from static passwords, towards multifactor authentication and biometrics.
Some security leaders face groups of employees who push back, he notes, but often these challenges fade once people start using new forms of authentication.
"A lot of the CISOs are saying the big problems are not deploying MFA, but deploying it across the enterprise," Lewis says. "There are multiple aspects to every enterprise that we have to take into consideration, different business units, and navigating that internally and trying to win over allies within the business is where they have to spend more time to win support."
The pandemic also drove a surge in cloud adoption, an initiative most businesses had begun but were forced to accelerate. Researchers found the average number of daily authentications to cloud apps jumped 40%, an increase at least partly driven by the pandemic. Organizations had little time to reach that level of maturity and consolidate and streamline their operations.
Part of this consolidation involves bringing together services across geographies, Lewis says. Many businesses have a global footprint and a support structure broken down by location, so, for example, each country has its own email support system. Now they want to implement a single approach across the board so they don't have "a disparate hodgepodge of systems" cobbled together under one banner, he adds.
Buckling Down on Updating Remote Devices
During the first three weeks of March, authentication failures due to outdated devices grew 90.5%, according to the annual Duo Trusted Access Report. Many users accessed corporate data and applications from their own unmanaged devices during the initial shift to remote work; if their devices hadn't been updated recently, they were more likely to fall outside corporate policy.
The corporate device policies that most commonly led to failed logins were location-restricted (29.7%), invalid device (22.6%), out-of-date device (14.8%), and no screen lock (9.6%). Most often, restricted countries were Russia (70%), China (68%), North Korea (42%), and Iran (37%).
A closer look at the types of devices people used this year revealed interesting trends. At the top was Windows (59%), followed by OS X (23.5%), iOS (11.4%), Android (3.7%), and Linux (1.2%). iOS was the most popular on mobile (69.9%), followed by Android (30%). Researchers note 10% of Windows businesses still use Windows 7, despite its end of life in January 2020.
Windows 7 usage varies by industry. Healthcare has more than 30% of Windows devices using the outdated OS; the transportation sector has 37%. Industries such as telecom, business, technology, and computers and electronics report more than 90% of devices run Windows 10.
The differences are visible on a broader level as well: Industries with the most up-to-date devices include computers and electronics (72.1% updated), technology (67.1%), business services (65.5%), IT services (65.4%), and agriculture and mining (64.1%). Those with the most out-of-date devices include transportation and storage (49.3%), K-12 education (47%), legal services (46.2%), healthcare (45.6%), and higher education (44.5%).
Overall, Lewis points to a "great deal more control" being used across employee devices. CISOs are focused on ensuring device inventory is current, or as close to current as possible, as well as monitoring systems for anomalous behavior. It's not only essential for them to conduct device posture assessments, but to do them with more urgency than they did in the past. Home office security varies from house to house, and most people don't secure home networks, he adds.
"Your perimeter used to be the firewall and the moat and the castle walls. It's really now about anywhere an access decision can be made," Lewis explains. Now, those decisions are being made on networks that aren't as secure as their previous corporate environment, and IT security pros are responding by taking a closer look at device activity, policies, and restrictions.