The latest Okta Businesses at Work Report, marking a decade since its first edition, dives deep into the changing tides of technology adoption, security trends, and digital workplace strategies worldwide. Examining the business landscape’s transformation through data from thousands of companies, Okta’s 2025 report is both a retrospective and a spotlight on current challenges—with clear implications for organizations managing sprawling application ecosystems.
When Okta released its first Businesses at Work report in 2015, the modern workplace was rapidly digitizing but had yet to see the full impact of cloud computing, remote work, and mobile-first adoption. Ten years later, the business software landscape is both dramatically changed and surprisingly stable in some respects. Microsoft 365 (formerly Office 365) remains the unrivaled leader in workplace applications, a testament to both its staying power and relentless innovation. Google Workspace’s ascent from fourth to second highlights how strong integrations and ease of collaboration are increasingly valued by modern organizations, even as bundled rivals like Salesforce and Amazon Web Services climb the charts in their respective niches.
Yet, the Okta dataset reveals an important point: while the biggest names hold their ground, the middle tier of widely-used business applications is remarkably fluid. Former stars like Box, Dropbox, and SAP Concur have faded from the top rankings, replaced by collaboration dynamos like Slack, Zoom, and the Atlassian suite (Confluence, Jira, Bitbucket, Trello, etc.). The emergence of these new players reflects not only shifting preference but the need for companies to build interconnected, best-of-breed toolsets rather than rely purely on one vendor’s ecosystem.
But is that burgeoning portfolio a sign of healthy choice, or the byproduct of poor governance? The answer seems to be both. Okta data shows organizations often license standalone best-of-breed apps even when similar tools are already included in their bundles—an approach Okta dubs “multi-stop shopping.” For users, this can mean the right tool for the right job. For finance and operational teams, it can mean mounting costs, overlapping licenses, and a labyrinthine app landscape.
Password managers’ rise is overdue: Bitwarden’s rapid growth shines a light on both cybersecurity maturation and the inadequacies organizations perceive in the humble password. Similarly, TailScale’s leap reflects the necessity of secure access for a remote, distributed workforce.
The surprise outlier? Uber. Its 56% year-over-year jump appears to ride on the back of a concerted corporate travel push—a reminder that even digital-first companies have old-fashioned, bricks-and-mortar logistics needs.
More heartening is the rise of Google Authenticator (No. 3), Okta’s own “Verify” products (now No. 1 and No. 2), and WebAuthn/YubiKey hardware (Nos. 6 and 9). These methods, especially those based on open standards, move the needle toward genuine phishing resistance.
Yet the continued prevalence of legacy and weak MFA—often due to compatibility, user resistance, or business priorities—gives attackers a broad attack surface to exploit. It’s a lesson in the inertia of large organizations: changing authentication habits is as much about culture as it is about technology.
Half of Okta’s clients with Microsoft 365 also use AWS, despite Azure’s natural integration. Nearly half also opt for Zoom instead of (or in addition to) Teams. 40% license Slack, and 26% stick with Box, sidestepping OneDrive. Perhaps most striking, 48% of organizations using Microsoft 365 also use Google Workspace—a decision that theoretically duplicates office productivity capabilities but actually reinforces collaborative agility.
There’s a potent lesson: critical business functions aren’t “one-size-fits-all,” even in a world of mega-bundles. The price of redundancy appears to be offset by perceived gains in usability, security, and agility.
The gap highlights a broader inequality: top-tier firms are pulling away in their ability to harden defenses and respond to new threats—not just technologically, but in terms of employee education and enforcement.
However, even with all this spending, app overlap remains egregious. Fully 73% of Fortune 500 organizations using Microsoft 365 opt to pay for Salesforce, underscoring just how sticky, even indispensable, certain “best of breed” platforms have become.
The nonprofit sector is an unexpected runner-up, at 18%—perhaps due to perceived weaker security, or because nonprofits often act as financial intermediaries or handle sensitive donor data. Health and pharmaceutical companies, often assumed to be prime targets, clock in at a relatively meager 1.7%, shifting assumptions about where threat actors see “easy targets.”
More broadly, malicious attempt rates have ticked upwards globally, with the U.S., U.K., Germany, and the Netherlands all breaking the 5% mark. Geopolitical tensions and new digital frontlines have evidently added fuel to the fire.
Organizations need to recognize that the convenience—or necessity—of overlapping tools demands a corresponding elevation in security posture, governance oversight, and data hygiene. Without intentional strategy, “shadow IT” risks mushroom, where well-intentioned users spin up their own tools outside the purview of security teams.
Many organizations, even those aware of the risks, are hamstrung by legacy systems, partner/client requirements, or simple resistance to change. It is a reminder that effective security is as much a human challenge as it is a technological one.
The take-home point for IT leaders: assume your organization is—if not already, then soon to be—of interest to someone. Prepare accordingly.
So far, the flexibility of multi-stop shopping is winning out. Yet, as costs climb and regulatory scrutiny increases, we may eventually see a pendulum swing back toward greater consolidation—especially as incumbent platforms improve their integration and innovation pace.
If there’s one overarching lesson, it is that agility and security are not mutually exclusive—but achieving both demands transparent governance, visibility into user behavior, and a willingness to reconcile efficiency with end-user satisfaction. The rise of best-in-breed overlaps points to empowered teams and adaptable business models, but brings shadow risks that require constant vigilance.
For IT and security leaders, the message is to continue investing not just in new tools, but in culture, process, and education. Ultimately, the organizations that thrive over the next decade will be those who learn to harness choice without neglecting cohesion—turning application abundance into a strategic, secure advantage.
Source: www.scworld.com Who's using what: Results from the 2025 Okta Businesses at Work report
A Decade of Digital Disruption: Familiar Apps, New Champions
When Okta released its first Businesses at Work report in 2015, the modern workplace was rapidly digitizing but had yet to see the full impact of cloud computing, remote work, and mobile-first adoption. Ten years later, the business software landscape is both dramatically changed and surprisingly stable in some respects. Microsoft 365 (formerly Office 365) remains the unrivaled leader in workplace applications, a testament to both its staying power and relentless innovation. Google Workspace’s ascent from fourth to second highlights how strong integrations and ease of collaboration are increasingly valued by modern organizations, even as bundled rivals like Salesforce and Amazon Web Services climb the charts in their respective niches.Yet, the Okta dataset reveals an important point: while the biggest names hold their ground, the middle tier of widely-used business applications is remarkably fluid. Former stars like Box, Dropbox, and SAP Concur have faded from the top rankings, replaced by collaboration dynamos like Slack, Zoom, and the Atlassian suite (Confluence, Jira, Bitbucket, Trello, etc.). The emergence of these new players reflects not only shifting preference but the need for companies to build interconnected, best-of-breed toolsets rather than rely purely on one vendor’s ecosystem.
The Security Software Surge: Tripling Down on Protection
One of the most striking changes in 2024’s top application list is the newfound dominance of security solutions. While not a single security app cracked the top 15 back in 2015, three hold prominent positions today: KnowBe4 (a phishing awareness and training leader), Jamf Pro (Apple device management), and Palo Alto Networks’ platform (encompassing VPN, secure access, and identity management). This shift isn’t just headline fodder—it quantifies the industry’s all-hands effort to counter a broad rise in cyber threats, regulatory requirements, and remote-work vulnerabilities.The 100-Application Milestone: Growth by Necessity or Neglect?
Breaking a symbolic ceiling, the average Okta client organization now juggles 101 applications, up from the low 90s a few years prior. The upward trend, while modest, underscores the increasing complexity that CIOs and IT admins must manage—and highlights the risk of “app sprawl.” More software can mean more silos, more endpoints, and more ways for critical data to leak or be attacked. For IT and security leaders, the message is clear: robust identity and access management is no longer a luxury, it’s a necessity.But is that burgeoning portfolio a sign of healthy choice, or the byproduct of poor governance? The answer seems to be both. Okta data shows organizations often license standalone best-of-breed apps even when similar tools are already included in their bundles—an approach Okta dubs “multi-stop shopping.” For users, this can mean the right tool for the right job. For finance and operational teams, it can mean mounting costs, overlapping licenses, and a labyrinthine app landscape.
Compliance and Security: Fastest-Growing Applications
No report on B2B technology is complete without a look at fast movers. In Okta’s 2025 edition, four of the ten fastest-growing apps are compliance or security-related: Vanta (compliance), Bitwarden (password management), TailScale (VPN), and Drata (compliance). Vanta’s 72% year-over-year growth is particularly notable, given that regulatory frameworks and third-party audits have become inescapable facts of business.Password managers’ rise is overdue: Bitwarden’s rapid growth shines a light on both cybersecurity maturation and the inadequacies organizations perceive in the humble password. Similarly, TailScale’s leap reflects the necessity of secure access for a remote, distributed workforce.
The surprise outlier? Uber. Its 56% year-over-year jump appears to ride on the back of a concerted corporate travel push—a reminder that even digital-first companies have old-fashioned, bricks-and-mortar logistics needs.
Multi-Factor Authentication: Progress With Persistent Weakness
Perhaps the most sobering section of the Okta report centers on multi-factor authentication (MFA) trends. In 2015, “security questions”—an infamously weak second factor—were dominant. While they’ve thankfully dropped to the bottom of the MFA pecking order (No. 10 in 2024), their continued use, along with SMS one-time passcodes (No. 4), voice calls (No. 7), and email codes (No. 8), exposes organizations to preventable phishing and social engineering risks.More heartening is the rise of Google Authenticator (No. 3), Okta’s own “Verify” products (now No. 1 and No. 2), and WebAuthn/YubiKey hardware (Nos. 6 and 9). These methods, especially those based on open standards, move the needle toward genuine phishing resistance.
Yet the continued prevalence of legacy and weak MFA—often due to compatibility, user resistance, or business priorities—gives attackers a broad attack surface to exploit. It’s a lesson in the inertia of large organizations: changing authentication habits is as much about culture as it is about technology.
Who Is Buying What? And Why “Multi-Stop Shopping” Keeps Winning
A recurring narrative in the report is the apparent contradiction between market intuition and observed behavior around software consolidation. In theory, businesses should be driving toward streamlined, all-in-one “platformization” to save money and simplify support. In practice, just the opposite appears true: organizations (especially those with resources) opt for best-in-class point solutions, even where bundle overlap exists.Half of Okta’s clients with Microsoft 365 also use AWS, despite Azure’s natural integration. Nearly half also opt for Zoom instead of (or in addition to) Teams. 40% license Slack, and 26% stick with Box, sidestepping OneDrive. Perhaps most striking, 48% of organizations using Microsoft 365 also use Google Workspace—a decision that theoretically duplicates office productivity capabilities but actually reinforces collaborative agility.
There’s a potent lesson: critical business functions aren’t “one-size-fits-all,” even in a world of mega-bundles. The price of redundancy appears to be offset by perceived gains in usability, security, and agility.
The Fortune 500 and the App Stack Arms Race
Okta’s data draws a line correlating company size with security investment and tool sophistication. Fortune 500 firms, flush with both budget and critical assets to protect, are far more likely to deploy advanced MFA like Okta Verify FastPass and security keys, with year-over-year growth sharply outpacing that among smaller or younger companies. Startups, on the other hand, were more likely to experience growth in basic factors such as email notifications.The gap highlights a broader inequality: top-tier firms are pulling away in their ability to harden defenses and respond to new threats—not just technologically, but in terms of employee education and enforcement.
However, even with all this spending, app overlap remains egregious. Fully 73% of Fortune 500 organizations using Microsoft 365 opt to pay for Salesforce, underscoring just how sticky, even indispensable, certain “best of breed” platforms have become.
Surprising Sector Risks: Natural Resources Under Fire
One of the standout findings from the 2025 Businesses at Work Report is the sectoral distribution of malicious authentication attempts. Contrary to stereotype, it’s not banking or pharma that see the most attacks—natural resources industries (energy, mining, oil, and gas) now top the chart, facing 32% of all malicious login attempts identified among Okta clients. With their older infrastructure and previously less robust security postures, these sectors have become magnets for activists and state-sponsored cybercriminals, as Okta points out.The nonprofit sector is an unexpected runner-up, at 18%—perhaps due to perceived weaker security, or because nonprofits often act as financial intermediaries or handle sensitive donor data. Health and pharmaceutical companies, often assumed to be prime targets, clock in at a relatively meager 1.7%, shifting assumptions about where threat actors see “easy targets.”
More broadly, malicious attempt rates have ticked upwards globally, with the U.S., U.K., Germany, and the Netherlands all breaking the 5% mark. Geopolitical tensions and new digital frontlines have evidently added fuel to the fire.
Compliance Platforms: The Stealth Winners
While collaboration and security apps soak up most of the attention, compliance solutions like Vanta, Drata, and their peers are experiencing rapid growth. With privacy legislation, international standards, and auditor demands becoming ever more stringent, businesses have little choice but to invest in platforms that can automate checks, compile evidence, and demonstrate adherence. That automation is not only a time-saver but, increasingly, a market requirement for doing business cross-border or engaging with sensitive industries.The Hidden Costs and Risks of App Redundancy
Every year, the Okta report’s data points toward the same conclusion: when companies have a choice, they overwhelmingly opt for “multi-stop shopping.” This means layering best-in-class or user-preferred point solutions on top of bundled suites. The practical upside: teams can work how they want, with the best tools available. The less-obvious consequences are mounting license fees, increased integration headaches, more complex support environments, and, critically, a patchwork of identity and data policies that create new attack vectors.Organizations need to recognize that the convenience—or necessity—of overlapping tools demands a corresponding elevation in security posture, governance oversight, and data hygiene. Without intentional strategy, “shadow IT” risks mushroom, where well-intentioned users spin up their own tools outside the purview of security teams.
Progress Made, Progress Stalled: Lessons from MFA Adoption
Looking beneath the MFA adoption numbers, it’s clear that progress has been real but uneven. The surge in phish-resistant authentication, like WebAuthn and security keys, is encouraging and a necessary evolution given the sophistication of modern phishing kits. However, the enduring presence of SMS, email codes, and even security questions among the top authentication factors should serve as a wake-up call.Many organizations, even those aware of the risks, are hamstrung by legacy systems, partner/client requirements, or simple resistance to change. It is a reminder that effective security is as much a human challenge as it is a technological one.
The Nature of Threat: More Attackers, More Targets
Notably, Okta’s data suggests malicious login attempts are both diversifying and intensifying. The traditional financial sector remains a target, but the greatest risk now sits with sectors undervalued for their digital security: energy, mining, and non-profits. This is likely due in part to the broadening capabilities—and ambitions—of ransomware gangs and state-sponsored attackers, but also web-connected operational technologies making previously isolated systems vulnerable.The take-home point for IT leaders: assume your organization is—if not already, then soon to be—of interest to someone. Prepare accordingly.
Platformization vs. Multi-Stop Shopping: Which Will Prevail?
Despite the drumbeat in the IT press about vendor consolidation, Okta’s data makes one thing clear: enterprises continue to “double dip,” licensing best-of-breed apps even when they have comparable products in their bundles. The argument for platformization remains strong—reduced overhead, simplified procurement, greater integration—but users and departments often demand the features or usability of specialized solutions.So far, the flexibility of multi-stop shopping is winning out. Yet, as costs climb and regulatory scrutiny increases, we may eventually see a pendulum swing back toward greater consolidation—especially as incumbent platforms improve their integration and innovation pace.
Final Thoughts: Navigating Complexity With Confidence
Okta’s 2025 Businesses at Work Report provides a clear window into the real-world behaviors shaping the digital workplace. It spotlights how entrenched tools persist, how new threats reshape priorities, and how the ideal of streamlined “platformization” is still more myth than reality for most organizations.If there’s one overarching lesson, it is that agility and security are not mutually exclusive—but achieving both demands transparent governance, visibility into user behavior, and a willingness to reconcile efficiency with end-user satisfaction. The rise of best-in-breed overlaps points to empowered teams and adaptable business models, but brings shadow risks that require constant vigilance.
For IT and security leaders, the message is to continue investing not just in new tools, but in culture, process, and education. Ultimately, the organizations that thrive over the next decade will be those who learn to harness choice without neglecting cohesion—turning application abundance into a strategic, secure advantage.
Source: www.scworld.com Who's using what: Results from the 2025 Okta Businesses at Work report
Last edited:
