Skip navigation

Duo News & Press

All things Duo from our press room, blog and around the Web

Press Release
June 5th, 2017

New Study from Duo Finds Millions of Devices Running Out-of-Date Systems, Despite Latest High-Profile Breaches

On a positive note, research also shows Windows 10 adoption has doubled since 2016 to 31% of endpoints running the latest version of the operating system

Findings highlight the importance of updating and patching to stay ahead of latest exploits

ANN ARBOR, Mich. -- June 5, 2017 -- Duo Security, the world’s leading cloud-based Trusted Access provider, today released The 2017 Duo Trusted Access Report, analyzing the security health of 4.6 million endpoint devices, including 3.5 million mobile phones across multiple industries and geographic regions.

With increased adoption of cloud services and mobile devices, enterprises no longer have distinct boundaries defined by inside and outside the firewall, making the health of devices connecting to their network more critical than ever to protect against new security threats.

To review all findings and learn what you can do to mitigate risks associated with the new enterprise IT model, read the full 2017 Duo Trusted Access Report here:

To measure the state of device security health, the report analyzes top indicators including out-of-date operating systems, browsers and plugins that make endpoints more susceptible to vulnerabilities, as well as security features mobile devices have enabled.

Also, for the first time, the report highlights the latest data from Duo’s simulated phishing assessments. Phishing is one of the easiest and most effective ways for attackers to steal user credentials, exploit out-of-date software, and gain access to enterprise applications.

Key sections and highlights of the report include:

Overall Device Security Health
  • Improvement for Microsoft operating systems (OS): 31% of endpoints are running the latest OS version, Windows 10, compared to 15% in 2016. Enterprises are slowly migrating to the most up-to-date and secure version two years after its release

  • However, 13% of endpoints are browsing dangerously on an unsupported version of the Internet Explorer browser that is no longer receiving security updates that patch known vulnerabilities.

Mobile Security Health
  • Only 27% of Android phones are running the latest major OS version, compared to 73% of iPhones operating on iOS 10 or above. This stark difference is likely linked to many Android devices being beholden to both manufacturers and carriers to roll out updates, which can slow down the time to patch.
UK and EMEA Security Health
  • Compared to North America, EMEA (Europe, Middle East and Africa) countries are slightly more up to date. In EMEA, 40% of endpoints are running the latest version, Windows 10, compared to 31% in North America. In the United Kingdom, 37% of endpoints are running Windows 10, compared to 31% overall.
Industry-Specific Security Health
  • The technology industry has the highest number of endpoints running the Windows 10 operating system (OS) at 87%, while the healthcare and machinery industries fall in the bottom with only 16% and 6% of endpoints respectively using the latest OS.

  • Healthcare industry data reveals 76% of endpoints are running Windows 7 - an 8-year-old operating system - which is much higher than the 59% average of all other endpoints. Worse still, the percentage of healthcare endpoints running Windows XP has increased from 2% to 3%, which is higher than the 1% of overall endpoints. This is troubling to see, as Microsoft ended security support for Windows XP in 2014, and continuing to run the OS could run afoul of the HIPAA risk management requirements.

  • The biotech industry comes in last for mobile security features, with the lowest amount of mobile devices with screen lock or encryption enabled, meaning they lack mobile device security.

Phishing on the Rise

Duo’s analysis of 3,575 simulated phishing campaigns conducted in the past 12 months from Duo Insight, with more than 80,000 recipients, found that 62% of campaigns captured at least one credential and 68% had at least one out-of-date device.

  • 44% of recipients opened the email and 25% of recipients clicked the link.
  • 13% of recipients entered their credentials (username and password).
  • 13% of recipients use out-of-date browsers and 17% are running out-of-date operating systems

A quarter of recipients clicking the link in the email means that they could have potentially visited a malicious website, putting their devices at risk. Since the majority of recipients are using out-of-date devices to open phishing emails, this also puts users at higher risk of getting compromised by an attacker using known vulnerabilities.

Mike Hanley, Sr. Director of Security for Duo explained, “As underlined from many of the latest headline breaches, unpatched, out-of-date software, systems and servers are prime targets for attackers armed with known vulnerabilities and malware. The 2017 Trusted Access Report shows that while we’re making progress in some areas like Windows 10 adoption, there is still much room for improvement across the board.”

To download the full 2017 Trusted Access Report, please visit:

About Duo Security

Duo Security is a cloud-based Trusted Access provider protecting thousands of the world’s largest and fastest-growing organizations, including Dresser-Rand Group, Etsy, Facebook, K-Swiss, Paramount Pictures, Random House, SuddenLink, Toyota, Yelp, Zillow and more. Duo Security’s innovative and easy-to-use technology can be quickly deployed to protect users, data and applications from breaches, credential theft and account takeover. The Ann Arbor, Michigan-based company also has offices in San Mateo, California; Austin, Texas and London. Duo Security is backed by Benchmark, Google Ventures, Radar Partners, Redpoint Ventures and True Ventures. Try it for free at

Media Contact
  • North America Meredith Corley and Jordan Fylonenko Duo Security
  • UK/EMEA Kirsten Scott and Barry Salmon Duo Security