Online Users Are Not Protecting Their Own Security

Every few months it seems that there's a large scale cyber hack that makes the headlines and sends people into a panic about their online security. As we move more of our lives into the cloud, the potential damage of a cyber attack just seems to grow. There are stories that dominate the headlines like Home Depot's and Target's massive credit card attack, the federal government's Office of Personnel Management, and even the release online of Sony's comedy film, the Interview. What doesn't make the headlines are the millions of email and social media accounts compromised by brute force or phishing attacks.

To understand how big of a concern this is for Americans I conducted a survey with 385 respondents using SurveyMonkey Audience. The respondents were drawn at random from the millions of people who take surveys with SurveyMonkey every single day and are weighted by population for gender, age and geographic location.

Are people concerned?
I asked users how concerned they were about their identity being stolen as well as their concern about email hacks. In both cases the responses were nearly identical, with 75% showing some level of concern. Not surprisingly, the older the respondents were, the more concern they showed about their online security risks. Only 60% of respondents aged 18-29 were concerned vs 85% for respondents older than 60. There was virtually no difference in concern levels when comparing male vs female respondents.


What are they doing about it?
Despite these heightened concerns about hacking, user behavior does not seem to align with expressed fears. 37% of respondents admitted to not having any security enabled on their mobile devices; this opens up their personal data to anyone that can get their hands on the phone. 44% of people surveyed use the same password for multiple accounts and websites, so if their password is phished or hacked, every account that shares the password is vulnerable.

On a positive note, 77% of users include symbols in their passwords, in addition to letters. While this tactic is certainly not foolproof, it is significantly better than just using dictionary words that can be brute force hacked.


What is industry doing to help?
In light of the growing challenges that come from hacking and identity theft, technology companies have been improving the tools they offer customers to help secure online accounts. One of the most popular and secure ways to prevent unauthorized access to an account is to use a second form of authentication in addition to a password. This type of authentication has been in use since the mid-1980's when users of corporate mainframes had to carry an RSA key generator in their briefcases in order to access the system. These devices use an algorithm to publish a public key unique to the user that positively authenticates them. Carrying around a device to help authenticate everyone of our public accounts might not be so feasible, but the proliferation of mobile devices solved that issue. Users can opt into receiving an SMS message with a code to login into the site or they can just use a dedicated app.

There are apps in the the Play Store and the iPhone App store made precisely for two factor authentication and even Google has their own app called authenticator. The way these work is that when a user wants to login to an online account like their Gmail they put in their username and password, and then they confirm their identity with a unique code shown to them on their app. While there are a number of challenges with using this kind of two factor authentication - namely that your phone needs to be with you and connected to the Internet, using this is still better than getting hacked.

In the survey I asked respondents whether they use two factor authentication to login to their accounts. Only 26% responded that they do, while 44% said they do not. Somewhat surprisingly, only 30% had not heard of this kind of authentication which means that companies are doing a decent job of making people aware, but not a good enough job of registering users for such security features.


How big of a problem is it?
With 81% of all Americans doing some form of online banking and email usage at near 100% , the potential for damage is greater than ever. The onus is on everyone, from technology companies to individuals, to take responsibility for online security. Technology companies need to make it easier for customers to adopt these security features rather than leave their costumers scrambling to find them after a hacking. Rather than just a quick popup note asking for a phone number in case the user forgets their password, they should probably consider scaring the customers with a good explanation of why they need that number. Maybe getting users to use security tokens and apps to login to their accounts is too much to ask for now, but having their phone number of file to receive an urgent SMS when suspicious activity happens is a fair request.

User need to take personal responsibility
Most importantly, users need to do a lot more to protect themselves. At a minimum, people need to use secure passwords that can't easily be guessed. Every time there is a major hack we learn how many users choose "password" or 1234 as their password for an account that is meant to be fairly secure. In addition, users need to take the extra step of locking their mobile devices. Yes, it will make it a lot harder to dial while driving - which is a good thing -, but there are also smart unlock features which can disable the need for phone security while in the proximity of a car's Bluetooth.

As the data above shows, users have come a long way in terms of managing their online security accounts and data. While too many people still resist comprehensive security management even in the face of hacking fears, there are more and more people taking action to protect against online fraud. Just like it took a cataclysmic event to finally spur the banking industry into adopting the credit card chip technology, it will unfortunately take an email or social media hacking Armageddon before we see online security take a huge step forward.