Duo Security, a cloud-based trusted access provider protecting the world’s largest and fastest-growing companies, has analysed data from over two million devices used by businesses around the world to determine the general security health of devices in the enterprise. Most concerning of the findings is that 25 percent of all Windows devices are running outdated and unsupported versions of Internet Explorer, which leaves those unpatched systems open to more than 700 vulnerabilities.
Duo research also reveals that 72 percent of Java users are running an out-of-date version, compared to 60 percent who have an outdated version of Flash. This is worrying as Flash and Java are notorious targets, used by attackers in exploit kits to gain access to their machines. Duo research indicates that users still run outdated software, Flash, and Java on devices used to access company applications, putting entire organisations at risk of data breaches.
Duo’s data analysis found that Mac users are more up to date than Windows users when it comes to operating systems. Fifty-three percent of Apple users are running either the fully patched, latest version of OS X, or the previous version, compared to 35 percent of Windows users on Windows 10 and 8.1. Apple users may be more likely to update their operating systems because these updates have been known to be quite stable. In addition, new OS X versions are also free and heavily promoted by Apple.
While the full findings[1] are concerning, mitigating these issues at an enterprise level is manageable with basic security solutions and endpoint visibility in place. “Organisations need visibility into the health of all devices accessing their business applications,” said Mike Hanley, Director of Duo Labs. “Each of these outdated devices poses a significant risk to a company. Visibility and insight will help better protect organisations against breaches.”
Duo Security recommends these steps to strengthen an organisation’s security hygiene:
- Embrace the Bring Your Own Device (BYOD) trend and prepare for it by providing IT administrators with actionable data on device ownership and health to enable risk-based access control decisions.
- Enable automatic updates for as much software as possible instead of relying on employees to manually install updates.
- Switch to Google Chrome browsers in your organisation. Chrome receives automatic and frequent updates.
- Disable Java and prevent Flash from running automatically on corporate devices.
- Use a Trusted Access solution with both two-factor authentication and endpoint visibility features to verify both users and devices.