Security Experts: Updating Software Best Way To Stay Safe Online

There are many online tips for how to best protect your computer against malware, but people tend to prioritize certain tools differently. Google wanted to know what both non-experts and experts thought about the top 5 security practices, so the company interviewed 231 "security experts" as well as 294 non-expert Web users about it.

Strong Passwords

Both groups agree that proper password management is necessary, but they disagree on the approaches. Non-experts suggested you should use "strong passwords" as well as "change passwords frequently" to stay ahead of malicious hackers. The security experts thought it's much better to let a password manager handle passwords for you.

One expert said: "Password managers change the whole calculus because they make it possible to have both strong and unique passwords."

The experts used password managers three times more frequently than non-experts. Only 24 percent of the non-experts used password managers for at least some of their accounts, compared to 73 percent of the experts.

Google's findings suggested that the reason most non-users don't take advantage of password managers is either because they don't know too much about them or they don't trust them to not be hacked. One non-expert said, "I try to remember my passwords because no one can hack my mind."

Anti-virus vs. Updates

The most interesting result in this study was the large discrepancy between what non-experts and security experts consider to be the best way to increase your security online. Non-experts believe that running an anti-virus on your PC is the best way to stay secure, while experts believe software updates are the way to do that.

A non-expert said, "I don't know if updating software is always safe. What [if] you download malicious software?" He added, "Automatic software updates are not safe in my opinion, since it can be abused to update malicious content."

Although not a completely invalid concern, considering even Google's whole network was hacked by the NSA in the past, updates are still much safer to install on a day to day basis than not. Keeping software unpatched for months or even years means there are increasingly more ways in which to exploit that software and infect the user.

Although 35 percent of the experts strongly believed in the importance of updates, with only 2 percent of the non-experts doing the same, the scores were almost reversed when it comes to believing in the anti-virus as the ultimate security tool. Forty-two percent of the non-experts ranked it first, while only 7 percent of the experts thought an anti-virus is the best way to stay safe online.

Most experts see the benefit of running an anti-virus but believe it gives non-experts a false sense of security.

To Patch Or Not To Patch

Google believes that non-experts misunderstand the importance of updates, even though updates are like the "seatbelts of online security." Updates represent a much lower degree of risk overall compared to the risk of not updating and patching existing vulnerabilities, which are almost certain to be exploited in due time.

Malware usually exists through exploiting software vulnerabilities. For instance, to get malware from a certain website (let's say a "good" website), that site would first have to be hacked, likely through exploiting its server's own vulnerabilities. Then, the attacker would have to either trick the user into downloading the malware or exploit a vulnerability in the browser, so the user receives that piece of malware on his computer automatically as he visits the website.

After that, the malware would have to exploit existing vulnerabilities in the host operating system and bypass existing protection measures there. Unless the malware uses zero-day vulnerabilities, which can be either time-consuming or very costly for attackers (and have a short lifespan anyway), then the user should be protected if all of his software is up to date.

Anti-viruses are generally more about protecting unpatched systems against old malware that is already well-known to anti-virus companies. There are still plenty of "new" malware that can do damage to millions of Internet users at a time, which is likely why many security experts think non-experts shouldn't put so much trust in anti-viruses.

Sometimes an anti-virus can catch an unknown type of malware, too, if it recognizes its behavior, but these days skilled attackers test their malware against all the popular anti-virus programs before releasing it in the wild, ensuring it won't be detected quickly after launch.

Security Priorities

The Australian Government's Department of Defense, which made public its own evaluation of the best ways to protect against intrusions, ranked application patching and OS patching as #2 and #3 in importance, respectively, right after application whitelisting (which is a highly effective but also quite restrictive measure for most regular users), followed by minimizing administrative privileges (using a "standard" rather than an "administrator" account).

Google admitted that none of the top five practices mentioned by each group in its study made users less secure, but the company hopes to help users better prioritize their own security practices in the future.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • jimmysmitty
    I kind of feel a "no duh" moment here.

    Of course updating software helps to keep you safe in 99% of cases. Unless you are Java and release a new version that opens a massive hole so bad that you tell everyone to roll back.

    But normally a patch is there to fix exploits/holes in the software/OS.
    Reply
  • clonazepam
    I use Webroot's SecureAnywhere. I don't know how good or bad it is, so I assume that means its at least decent. There's many features and one that sticks out as uncommon to me is that its install folder name and the executable are randomly generated during the install.

    Threat protection is performed "in the cloud" and needs no updates. Good, bad, indifferent?
    Reply
  • jimmysmitty
    Cloud based scanning is not bad but if a virus kills your web access you need something local that can at least take manual updates.

    I have not looked at anything beyond Windows Defender (same as MSE in 8/8.1) since it came out.
    Reply
  • codo
    Some people are weary of updates but I've always updated everything I could whenever I could and have no trouble.
    Reply
  • whassup
    Just keep your Windows, Browser, PDF readers, MS Office and Antivirus always updated you will be secure even if you are on the adventurous side.

    For the past 3 years my PC never get infected and I am a click happy user who visits whatever sites that I need the information or file. I just keeps all of my Internet related apps updated that includes Windows 8.1 Pro, Avast Free 2015 (PUP scan enabled), Chrome, MS Office and PDF reader. I also do regular malware scans using Avast as well as Malwarebytes Anti Malware, Adwcleaner just to ensure nothing is penetrated on to my system.
    Reply
  • zodiacfml
    Haven't used a password manager, if Google can manage to make and maintain one then I'd try it.
    Reply
  • JonnyDough
    You think? It's not just "experts". It's any person in information technology...
    Reply
  • Tanyac
    This reads like a weak attempt to placate those that are concerned about the Windows 10 forced auto updates.

    There are as many reasons not to trust auto updates, especially given the advertising, malware and personal information collection, and complete lack of control over your "own" system, as there are to support auto updates.

    Best security. Disconnect from the internet. Better yet, Turn off your computer, go and have a BBQ with your neighbors and reconnect with the community.

    Reply
  • alidan
    Some people are weary of updates but I've always updated everything I could whenever I could and have no trouble.

    i have had one to many updates break things in the past to ever want to update beyond a something i own isn't working basis, i hate that google autoupdates and there is nothing i can do to stop it... take a look at the bookmark manager they tried to force on everyone a few updates ago... there will come a time they remove the traditional bookmarks and i am forced to leave chrome because of that crap.

    also... i have had online accounts hacked/bruteforced and i have had full system crashes with no hope of recovery... the idea of using a password manager is something i will never bring myself to accept... the idea of a program that handles all my passwords and has them as long and complicated as possible, only to either have the program crap out on me and never be able to get access to any of my accounts again is bad enough, but than you go a step further and if someone hacked the site if it wanst a local password manager... not a chance in hell... and 2 step verification only works when you have a cellphone... i don't, and paying a few hundred dollars a year for just for 2 step is out of the question.
    Reply
  • alidan
    16314710 said:
    This reads like a weak attempt to placate those that are concerned about the Windows 10 forced auto updates.

    There are as many reasons not to trust auto updates, especially given the advertising, malware and personal information collection, and complete lack of control over your "own" system, as there are to support auto updates.

    Best security. Disconnect from the internet. Better yet, Turn off your computer, go and have a BBQ with your neighbors and reconnect with the community.

    i did not know windows 10 forced updates... ill have to look into blocking all microsoft domains from either a software level or hardware... i refused to update the os unless something is broken as windows updates have failed on me so many times where a format was required i just cant bring myself to updating unless its absolutely impossible to live without.
    Reply