The 4 most insecure areas of online behavior

Security experts and users follow a drastically different set of best practices to protect their security online, according to a new report from Google.

The company, which surveyed 231 security experts and 294 web users, found that the experts--defined as working five or more years in computer security--placed software updates, unique passwords and two-factor authentication atop their list of online security best practices.

Users, however, prioritized their top security measures differently: They listed antivirus software, strong passwords and frequent password changes. Users also admitted to delaying the installation of software updates and expressed a lack of trust in password managers.

"To improve security advice, our community must find out what practices people use and what recommendations, if messaged well, are likely to bring the highest benefit while being realistic to ask of people," the report said. "The experts' practices are rated as good advice by experts, while those employed by non-experts received mixed ratings."

Here's a look at where security experts and users differed the most.

Average users don't prioritize software updates

Installing software updates was the security practice that differed the most between security experts and users, according to the report. Thirty-five percent of experts mentioned it as a top security tactic, compared to just 2 percent of non-experts. This was the No. 1 security action the surveyed experts took, while it didn't crack the top five for average users.

Users' behavior toward software updates mirrored their attitudes toward them as well: While 39 percent of experts reported automatically installing security updates, 29 percent reported doing the same. Less than half of the users surveyed considered advice to update applications very effective, yet two-thirds said they were very likely to follow it.

[ ALSO ON CSO: 9 reasons why users still struggle with online security ]

"Our results suggest that one reason some non-experts don't install updates might be the lack of awareness on how effective updates are," the report said. It cited examples from respondents who worried that updates could be abused to spread malicious content and the possibility that they contained bugs. Other respondents called the process of updating software "cumbersome."

Average users trust antivirus software the most

While average users don't prioritize software updates, they do value antivirus software, which they ranked No.1. Forty-two percent listed running antivirus software on their personal computers, and 90 percent said they considered it either very effective or effective. Meanwhile, antivirus software made the list on just 7 percent of experts' top priorities.

"The high adoption of antivirus software among non-experts and their high willingness to follow this advice might be due to the good usability of the install-once type of solution that antivirus software offers,"the report said.

Firewalls also ranked high among users, which 17 percent mentioned in their top-three security actions, often in conjunction with antivirus software. Just 3 percent of experts prioritized firewalls as high. Experts cautioned against antivirus software and firewalls, calling them "simple, but less effective than installing updates,"and "less sophisticated."

Users value strong passwords, but rarely use password managers

Though both groups listed using strong passwords in their top security priorities (experts: 18 percent; users: 30 percent), they differed on other password specifics. Experts, for example, prioritized unique passwords over users (25 percent vs. 15 percent), while users spoke more often of changing passwords frequently than experts did (21 percent vs. 2 percent).

Despite their attention to password specifics, users placed very little value in password managers, the report found. Meanwhile, four-times more experts said it is one of the most important things they do to stay safe online.

"While more experts said they use a password manager to keep track of their passwords, more non-experts said they write down passwords, remember or reuse them," the report said. "The low adoption rate of password managers among non-experts might stem from a lack of understanding of its security benefits."

The disconnect between the groups' views of password managers was reinforced when users were asked to rate the tools' effectiveness: Just 32 percent rated them as very effective or effective, while only 40 percent said they would follow advice to use them. Average users called password managers "complicated for non-technical users."

While password managers ranked low among average users, they rated the use of two-factor authentication considerably higher, both in terms of effectiveness (83 percent) and likelihood of following advice (74 percent). Experts, however, expressed concerns that two-factor authentication is still too difficult for many users and is not widely enough available.

Users only visit known websites

Average users care about a website's familiarity and reputation more than experts do, though they don't always heed their own advice, the report found. Users ranked visiting only known websites fourth to using antivirus software, strong passwords and changing passwords frequently, at 21 percent compared to just 4 percent of experts, according to the report.

Experts polled by Google pointed out problems with this advice: "Visiting only known websites is great, but paralyzing," one respondent commented, while another said, "Visiting websites you've heard of makes no difference in a modern web full of ads and cross-site requests."

While this tactic ranked high on average users' lists, not all of them adhere to it: Just 7 percent said they do not visit unknown websites, while 19 percent said they rarely do. "This finding might suggest that Visit only known websites' is not always practical," the report said.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsGooglesoftwaredata protection

More about CSOGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kristin Burnham

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts