Security Experts: Updating Software Best Way To Stay Safe Online

There are many online tips for how to best protect your computer against malware, but people tend to prioritize certain tools differently. Google wanted to know what both non-experts and experts thought about the top 5 security practices, so the company interviewed 231 "security experts" as well as 294 non-expert Web users about it.

Strong Passwords

Both groups agree that proper password management is necessary, but they disagree on the approaches. Non-experts suggested you should use "strong passwords" as well as "change passwords frequently" to stay ahead of malicious hackers. The security experts thought it's much better to let a password manager handle passwords for you.

One expert said: "Password managers change the whole calculus because they make it possible to have both strong and unique passwords."

The experts used password managers three times more frequently than non-experts. Only 24 percent of the non-experts used password managers for at least some of their accounts, compared to 73 percent of the experts.

Google's findings suggested that the reason most non-users don't take advantage of password managers is either because they don't know too much about them or they don't trust them to not be hacked. One non-expert said, "I try to remember my passwords because no one can hack my mind."

Anti-virus vs. Updates

The most interesting result in this study was the large discrepancy between what non-experts and security experts consider to be the best way to increase your security online. Non-experts believe that running an anti-virus on your PC is the best way to stay secure, while experts believe software updates are the way to do that.

A non-expert said, "I don't know if updating software is always safe. What [if] you download malicious software?" He added, "Automatic software updates are not safe in my opinion, since it can be abused to update malicious content."

Although not a completely invalid concern, considering even Google's whole network was hacked by the NSA in the past, updates are still much safer to install on a day to day basis than not. Keeping software unpatched for months or even years means there are increasingly more ways in which to exploit that software and infect the user.

Although 35 percent of the experts strongly believed in the importance of updates, with only 2 percent of the non-experts doing the same, the scores were almost reversed when it comes to believing in the anti-virus as the ultimate security tool. Forty-two percent of the non-experts ranked it first, while only 7 percent of the experts thought an anti-virus is the best way to stay safe online.

Most experts see the benefit of running an anti-virus but believe it gives non-experts a false sense of security.

To Patch Or Not To Patch

Google believes that non-experts misunderstand the importance of updates, even though updates are like the "seatbelts of online security." Updates represent a much lower degree of risk overall compared to the risk of not updating and patching existing vulnerabilities, which are almost certain to be exploited in due time.

Malware usually exists through exploiting software vulnerabilities. For instance, to get malware from a certain website (let's say a "good" website), that site would first have to be hacked, likely through exploiting its server's own vulnerabilities. Then, the attacker would have to either trick the user into downloading the malware or exploit a vulnerability in the browser, so the user receives that piece of malware on his computer automatically as he visits the website.

After that, the malware would have to exploit existing vulnerabilities in the host operating system and bypass existing protection measures there. Unless the malware uses zero-day vulnerabilities, which can be either time-consuming or very costly for attackers (and have a short lifespan anyway), then the user should be protected if all of his software is up to date.

Anti-viruses are generally more about protecting unpatched systems against old malware that is already well-known to anti-virus companies. There are still plenty of "new" malware that can do damage to millions of Internet users at a time, which is likely why many security experts think non-experts shouldn't put so much trust in anti-viruses.

Sometimes an anti-virus can catch an unknown type of malware, too, if it recognizes its behavior, but these days skilled attackers test their malware against all the popular anti-virus programs before releasing it in the wild, ensuring it won't be detected quickly after launch.

Security Priorities

The Australian Government's Department of Defense, which made public its own evaluation of the best ways to protect against intrusions, ranked application patching and OS patching as #2 and #3 in importance, respectively, right after application whitelisting (which is a highly effective but also quite restrictive measure for most regular users), followed by minimizing administrative privileges (using a "standard" rather than an "administrator" account).

Google admitted that none of the top five practices mentioned by each group in its study made users less secure, but the company hopes to help users better prioritize their own security practices in the future.

Follow us @tomshardware, on Facebook and on Google+.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
22 comments
Comment from the forums
    Your comment
  • jimmysmitty
    I kind of feel a "no duh" moment here.

    Of course updating software helps to keep you safe in 99% of cases. Unless you are Java and release a new version that opens a massive hole so bad that you tell everyone to roll back.

    But normally a patch is there to fix exploits/holes in the software/OS.
  • clonazepam
    I use Webroot's SecureAnywhere. I don't know how good or bad it is, so I assume that means its at least decent. There's many features and one that sticks out as uncommon to me is that its install folder name and the executable are randomly generated during the install.

    Threat protection is performed "in the cloud" and needs no updates. Good, bad, indifferent?
  • jimmysmitty
    Cloud based scanning is not bad but if a virus kills your web access you need something local that can at least take manual updates.

    I have not looked at anything beyond Windows Defender (same as MSE in 8/8.1) since it came out.