Skip navigation

Duo News & Press

All things Duo from our press room, blog and around the Web

Press Release
July 16th, 2019

Dragged Into the Light: Duo Security Report Reveals Businesses Gaining Control of Shadow IT

- Analysis of millions of users, devices and apps shows organizations implementing zero-trust principles to secure skyrocketing cloud and mobile use -

- Biometrics configured on 77 percent of devices, paving the way for passwordless login -

- One third of all work is now done on a mobile device -

ANN ARBOR, Mich., July 16, 2019 - Businesses worldwide are gaining control of previously unmonitored and unsupported cloud applications and devices, known as shadow IT, that lurk in their IT environments, according to the 2019 Duo Trusted Access Report. The average number of organizations protecting cloud apps with Duo surged 189 percent year-over-year, indicating that enterprises are catching up with the explosion of cloud use and shadow IT in the workplace. In addition, the frequency of out-of-date devices has dropped precipitously, hardening organizations against malware as a result.

Published today by Cisco’s Duo Security, the fourth annual Duo Trusted Access Report analyzes the security state of thousands of the world’s largest and fastest-growing organizations. The report examines 24 million devices used for work and half-a-billion user access requests per month to more than 1 million corporate applications and resources that Duo protects, based on de-identified and aggregated data from Duo’s 15,000 customers.

Soaring cloud and mobile use has resulted in 45 percent of requests to access protected apps coming from outside business walls, according to Duo data. To reduce the risk of breach amid this shift, organizations of all sizes are enforcing security controls that establish user and device trust before granting access to applications, known as zero-trust security for the workforce. These include strengthening user authentication, requiring screenlocks and disc encryption, disallowing devices with out-of-date browsers and operating systems, or blocking anonymous IP addresses, among other steps. Organizations are even using zero-trust tactics to quickly mitigate threats posed by zero-day vulnerabilities.

“For years, security teams have had little visibility into the cloud applications users were accessing and the personal devices they were using,” said Wendy Nather, Head of Advisory CISOs at Duo. “The findings in this report make clear that security leaders are taking back control of these apps and devices thanks to a zero-trust approach to security. This approach, in many cases, even allows organizations to adapt quickly to pending threats.”

Report highlights also include:

  • Your workforce is now mobile - A third of all work is now done on a mobile device, a 10 percent increase year-over-year. Without proper protections, such as strong user authentication and device hygiene checks, accessing business applications from mobile devices can increase exposure to threats that exploit user identities.

  • Passwords... the end is nigh! - Organizations are increasingly adopting the use of biometric sensors to verify user identity, paving the way for a passwordless future. 77 percent of mobile devices used in business have biometrics configured, a 10 percent increase over the past four years.

  • Not today, zero-day - In March 2019, Google discovered a zero-day vulnerability in its Chrome web browser that could allow an attacker to compromise major operating systems. Google quickly released a patch, which required users to update Chrome to the latest version. Subsequently, Duo saw a 79 percent increase in the number of customers who blocked access to data and applications from out-of-date browsers, thereby protecting themselves from the vulnerability until users updated Chrome.

  • Apple eats away at Windows; Chrome reigns - Together, Mac OS and iOS now comprise 40 percent of the devices used for work, while Windows’ share of devices dropped 8 percent from the year prior. On the browser side, Chrome makes up 48 percent of business browser share, an 8 percent increase year-over-year, resulting in stronger security hygiene overall for organizations.

  • An update a day keeps the hacker at bay - While Android devices continue to be the most frequently out-of-date, overall, out-of-date devices across all operating systems have dropped precipitously in the past year, making them less susceptible to malware and improving organizational security health.

  • Healthcare slow to adopt Windows 10 - The Windows-dominated sector has 56 percent of Windows devices still running an outdated operating system. Healthcare organizations use internet-connected devices and software that aren’t always designed or updated by vendors to run the latest Windows OS, leaving them more vulnerable to malware such as WannaCry.

  • SMS authentication extinct? - Enterprises are well-aware of the security risks posed by SMS-based MFA. SMS passcode comprises only 2.8 percent of total Duo user authentications, compared to 68 percent for Duo Push. Heavily regulated industries, such as Federal Government, overwhelmingly prefer traditional hardware tokens because of regulatory requirements.

These are just a few of the highlights in the Duo Trusted Access Report - there are many more. To download the full report, please visit duo.sc/tar-2019.

About Duo Security

Duo Security, now part of Cisco, is the leading multi-factor authentication (MFA) and Zero Trust for the Workforce provider. Duo's zero-trust security platform, Duo Beyond, enables organizations to provide secure access to all of their critical applications - for any user, from anywhere, and with any device. Duo is a trusted partner to more than 15,000 customers globally, including Dresser-Rand, Etsy, Facebook, Paramount Pictures, Random House, Zillow and more. Founded in Ann Arbor, Michigan, Duo has offices in growing hubs in Detroit; Austin, Texas; San Francisco, California; and London. Visit Duo.com to find out more.