New report from Ann Arbor’s Duo Security drags ‘shadow IT’ into the light

ANN ARBOR—Businesses worldwide are gaining control of previously unmonitored and unsupported cloud applications and devices, known as shadow IT, that lurk in their IT environments, according to the 2019 Duo Trusted Access Report.

The average number of organizations protecting cloud apps with Duo surged 189 percent year-over-year, indicating that enterprises are catching up with the explosion of cloud use and shadow IT in the workplace. In addition, the frequency of out-of-date devices has dropped precipitously, hardening organizations against malware as a result.

Published Tuesday, July 16 by Ann Arbor-based Duo Security, now a subsidiary of Cisco Systems Inc., the fourth annual Duo Trusted Access Report analyzes the security state of thousands of the world’s largest and fastest-growing organizations. The report examines 24 million devices used for work and half-a-billion user access requests per month to more than 1 million corporate applications and resources that Duo protects, based on de-identified and aggregated data from Duo’s 15,000 customers.

Soaring cloud and mobile use has resulted in 45 percent of requests to access protected apps coming from outside business walls, according to Duo data. To reduce the risk of breach amid this shift, organizations of all sizes are enforcing security controls that establish user and device trust before granting access to applications, known as zero-trust security for the workforce. These include strengthening user authentication, requiring screenlocks and disc encryption, disallowing devices with out-of-date browsers and operating systems, or blocking anonymous IP addresses, among other steps. Organizations are even using zero-trust tactics to quickly mitigate threats posed by zero-day vulnerabilities.

“For years, security teams have had little visibility into the cloud applications users were accessing and the personal devices they were using,” said Wendy Nather, head of advisory chief information security officers at Duo. “The findings in this report make clear that security leaders are taking back control of these apps and devices thanks to a zero-trust approach to security. This approach, in many cases, even allows organizations to adapt quickly to pending threats.”

Report highlights also include:

Your workforce is now mobile: A third of all work is now done on a mobile device, a 10 percent increase year-over-year. Without proper protections, such as strong user authentication and device hygiene checks, accessing business applications from mobile devices can increase exposure to threats that exploit user identities.

Passwords… the end is nigh!: Organizations are increasingly adopting the use of biometric sensors to verify user identity, paving the way for a password-less future. 77 percent of mobile devices used in business have biometrics configured, a 10 percent increase over the past four years.

Not today, zero-day: In March 2019, Google discovered a zero-day vulnerability in its Chrome web browser that could allow an attacker to compromise major operating systems. Google quickly released a patch, which required users to update Chrome to the latest version. Subsequently, Duo saw a 79 percent increase in the number of customers who blocked access to data and applications from out-of-date browsers, thereby protecting themselves from the vulnerability until users updated Chrome.

Apple eats away at Windows; Chrome reigns: Together, Mac OS and iOS now comprise 40 percent of the devices used for work, while Windows’ share of devices dropped 8 percent from the year prior. On the browser side, Chrome makes up 48 percent of business browser share, an 8 percent increase year-over-year, resulting in stronger security hygiene overall for organizations.

An update a day keeps the hacker at bay: While Android devices continue to be the most frequently out-of-date, overall, out-of-date devices across all operating systems have dropped precipitously in the past year, making them less susceptible to malware and improving organizational security health.

Healthcare slow to adopt Windows 10: The Windows-dominated sector has 56 percent of Windows devices still running an outdated operating system. Healthcare organizations use internet-connected devices and software that aren’t always designed or updated by vendors to run the latest Windows OS, leaving them more vulnerable to malware such as WannaCry.

SMS authentication extinct?: Enterprises are well-aware of the security risks posed by SMS-based MFA. SMS passcode comprises only 2.8 percent of total Duo user authentications, compared to 68 percent for Duo Push. Heavily regulated industries, such as Federal Government, overwhelmingly prefer traditional hardware tokens because of regulatory requirements.

These are just a few of the highlights in the Duo Trusted Access Report – there are many more. To download the full report, please visit

San Jose, Calif.-based networking giant Cisco announced the purchase of Duo in August 2018 at a price of $2.35 billion. Duo was founded in 2010 by Dug Song and Jonathan Oberheide and raised $121 million in venture capital while a private company. Duo has more than 700 employees and annual revenue estimated at $113 million, according to the company profiling website

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.