9 reasons why users still struggle with online security

A new report from Google finds a disconnect between online security best practices from experts and users. Here’s where the groups differ.

0 title9reasons

How secure are you?

When it comes to online security, experts and users don’t always agree on the most effective ways to stay safe, according to a new report from Google.

The company surveyed 294 users and 231 security experts (participants who worked five or more years in computer security) to better understand the differences and why they exist. Here’s what they found.

Software updates

Software updates

Installing software updates was the security practice that differed the most between security experts and users, according to the report. Thirty-five percent of experts mentioned it as a top security tactic, compared to just 2 percent of non-experts.

A lack of awareness of how effective software updates are might explain users’low numbers, the report said. “Our results suggest the need to invest in developing an updates manager that downloads and installs software updates for all applications—much like mobile application updates on smartphones,” it said.

Antivirus software

Antivirus software

Using antivirus software was the security action mentioned by most users relative to experts. Forty two percent of users said that running antivirus software on their personal computers is one of the top-three things they do to stay safe online, compared to just 7 percent of experts.

Firewalls

Firewalls

Firewalls also ranked high among users, which 17 percent mentioned in their top-three security actions, often in conjunction with antivirus software. Just 3 percent of experts prioritized firewalls as high. Experts cautioned against antivirus software and firewalls, calling them “simple, but less effective than installing updates”and “less sophisticated.”

Passwords

Passwords

Using strong and unique passwords were some of the most mentioned strategies by both groups, the report found. While more experts than users emphasized unique passwords (25 percent vs. 15 percent) fewer talked about having strong passwords (18 percent vs. 30 percent). Users also prioritized changing passwords more often than experts (21 percent vs. just 2 percent).

Password managers

Password managers

Despite password specifics claiming two of their top-five spots, using password managers ranked low among users. Just 3 percent of users mentioned using the tools, compared to 12 percent of experts. Adopting password managers rounded out the top five security practices for experts.

Furthermore, just 32 percent of users ranked password managers as very effective or effective, while only 40 percent said they would follow advice to use them. Users commented that password managers were too “complicated for non-technical users.”

“Users’ reluctance to adopt password managers may also be due to an ingrained mental model that passwords should not be stored or written down—advice users have been given for decades,”the report said. “Password managers can make it feasible to use truly random and unique passwords to help move users away from memorable passwords, which are vulnerable to smart-dictionary attacks.”

Two-factor authentication

Two-factor authentication

While password managers ranked low among users, they rated the use of two-factor authentication considerably higher, both in terms of effectiveness (83 percent) and likelihood of following advice (74 percent). Experts, however, expressed concerns that two-factor authentication is still too difficult for many users and not widely enough available.

“Additional work needs to be done to understand why non-experts are not using two-factor authentication,” the report said. “Some of the expert participants in our study offered several reasons, including the fact that this security feature is still to difficult to explain to non-tech-savvy users, that it is not available on all websites and that it causes significant inconvenience.”

Visiting only known websites

Visiting only known websites

After using antivirus and changing passwords frequently, the practice most mentioned by users relative to experts was visiting only known websites. Twenty-one percent of users—compared to just 4 percent of experts—said they only go to known or reputable websites to stay safe online.

Experts polled by Google pointed out problems with this advice: “Visiting only known websites is great, but paralyzing,” one respondent commented, while another said, “Visiting websites you’ve heard of makes no difference in a modern web full of ads and cross-site requests.”

 

HTTPS

HTTPS

Using HTTPS is not a major priority for neither the experts nor users, the report found. Just 10 percent of experts and and 4 percent of users placed it in their top-three actions. A majority of both groups, however, said they often look at the URL bar to verify HTTPS (experts: 86 percent; users: 59 percent).

Browser cookies

Browser cookies

More than half (54 percent) of users considered clearing browser cookies an effective security measure, while the same percentage of security experts called this practice “not good”or “not good at all.”

Security experts commented that doing so might be ok to prevent session hijacking, but “the annoyance of logging in again might throw some users off.”

RELATED: The 4 most insecure areas of online behavior