Shame on you! Report shows users lazier than ever about security practices

Shame on you! Report shows users lazier than ever about security practices

Summary: Security risks are growing ever larger, but a study says people are paying less attention than ever to computer security.


The NSA is in our in-box, malware is everywhere, and Web sites are getting knocked off by hackers ever other day. So you might think us computer users would be trying to take better care of our home computers. You would be wrong.

Home computers users are lousy when it comes to protecting themselves from technology dangers. (Credit: Microsoft)

At the @Microsoft Conversations event in Washington DC on September 12, 2013, Microsoft released its latest Microsoft Computing Safety Index (MCSI) results for worldwide consumer computer security. The results were awful.

The MCSI is a tiered security scoring system. It was first developed in a 2011 study sponsored by Microsoft's Trustworthy Computing Online Safety group. The survey contains more than 20 steps consumers can take to help protect themselves online. The more steps the user reports taking, the higher the online safety score; 100 is the highest rating possible.

Would you care to guess what the average score is in the United States?


It's 34 out of 100.

That's an F by anyone's scoring. What's even more troubling: We're getting worse. In 2012, U.S. Internet users scored 36; in 2011, they came in at 37.

To quote Microsoft, "As the Internet has become a ubiquitous part of life, U.S. consumers are less vigilant about protecting their safety online."  (PowerPoint Link)

They've got that right. We may claim that we're trying to be better about protecting our privacy online, but the reality is, most users aren't doing so.

Digging into the results further, we find that while Windows users are more often using up-to-date versions of the OS (Vista and up), in all other ways they're actually less fundamentally secure than they were in 2012. Specifically, only 59-percent are using anti-virus software (a must on Windows systems); 40-percent are using firewalls; 47-percent are updating their operating systems; and a mere 29-percent use secured Wi-Fi for their networks.

These people don't need to worry about the NSA looking over their shoulders when any 13-year old script kiddie could bust into their systems.

But, wait! It gets worse!

According to Microsoft, "Looking year over year, the U.S. score indicates a decline in consumer behaviors when it comes to taking proactive steps that help protect themselves online. Compared with 2012, this year’s scores were down slightly overall (36 in 2012 vs. 34 in 2013) with a downturn in implementing technical protections, like using phishing & Web browser filters, and behavioral protections, like creating a unique passwords for each account."

This is frightening. Things really have never been more dangerous on the Internet. The generation of users who grew up with computers is acting as if they can use computers without even the baby security sets.

I think, I hope, most ZDNet users know better than this. But, there's no question that many of your friends and family members don't. Grit your teeth, take off your “I will not fix your computer” t-shirt, and help them update their operating systems and programs. Get them to use antivirus software, turn on their firewalls, and secure their Wi-Fi access points.

Then, just pray that one day your non-techie friend doesn’t call you up screaming that someone just cleaned out his bank accounts and ran up his credit card bills. Because, with lousy security like this, times have never been better for cyber-criminals.

Related Stories:

Topics: Security, Networking, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • You lazy users are too slovenly to clean up the nasty mess left by others

    Developers and managers think the status quo is fine. Stop releasing insecure CRAP, figure out a better way.

    Somebody is going to follow this with excuses...
  • The users have always been the weak point

    So long as users value convenience over security, this will be a problem.

    Perhaps the real solution is to make security easier to use than not to use it.

    Sounds backwards, but until Security is easier than not using it, users will avoid being secure.

    So, if Microsoft and Apple can't figure out how to make security easy, then perhaps the Open Source community can figure it out. Then again, maybe not.
    • Build it with Security baked in

      The Band-Aid approach is not the way. i.e. relying on the user to apply the band-aids and do x, y, and z is not the way.

      There should be enough forensics collected from all the security problems to know how to prevent these problems. It's time for the software development industry to up their game and eliminate these issues. Figure it out and get it done.
      • So good wining on bad once and for all?

        Its not that straightforward, the same tools available for both sides and tons of human mistakes to take advantage of. We need to be in race, but its going to be ongoing and not few laps.

        By this logic, there could be no crime if we have all the laws in place
        • Its not a social problem its an engineering problem

          Instead of making the next nosql or siri or AI watzit or redundant Linux distro figure out how to build a compiler that builds code in a secure way. Create better tools to anaylse code for flaws. They just don't want to do the work. The forensics of exploits show what's being targeted and these problems should not be perpetual like they are now where they can be exploited over and over on every piece of code released.

          The development community is not doing enough and they are just blaming the user for their failures.
          • Then create a solution that works

            Any ideas?
          • Stop complaining!!!

            Most of us made the problems. When Microsoft wanted to put by default a basic anti-virus and other security things, everybody complained "It's unfair, and ..., and ...". But the "normal user" doesn't know anything or knows only the basics about security. When a "normal user" buys a product already preinstalled (Surface's, IPad's, Galaxy's, ...) s/he thinks that everything is ready to go online. The same is true: you don't buy a car with an optional motor or you do?
            So stop complaining and do apps more secure.
          • People like Greywolf3 only complain

            it's easier than actually doing something. Blame someone else. It's the norm these days.
          • You are extremely naive!

            It is obvious that you have no clue how complex the software domain is. There will never be a "silver bullet" solution as you proclaim to be needed.
            David A. Pimentel
      • Build it right in...

        Pointless when the user will just circumvent that and not bother to keep software patched.
  • So whats the point...

    ... when any security measures implemented are cracked, broken and exploited by the bad guys...

    ... Oh, no, wait, that would be by the US government now, not the bad guys so much...
  • STOP Blaming the user! Blame the IT industry and government.

    In 2003 the Computing Research Association (CRA) with the support of the National Science Foundation and US Government held a major invitation only summit in Virginia to look at the state of cybersecurity. Some 50 people attended with reps from major countries, including this commentator. The result was a 4-point summary to be presented to the USA's Congress and this was done a few days after the summit. The overall concept was to look at what was needed to be done BY THE IT INDUSTRY ITSELF!

    What was a major theme - here it is - "Give users security they can understand and easily manage!"

    It was agreed that continually admonishing the least skilled entity in the security chain - the normal end-user of a PC / laptop / etc. - would get nowhere - and this has proven to be so - 10 years later! Yes - there is no point blaming a driver for not stopping a car, for example, if it doesn't have easy to understand and use BRAKES!

    How many end-users fully understand Win'7's UAC - with its sort of split "personality" in relation to "admin" accounts? Why don't server systems / cloud servers employ such access control systems as "FMAC - Flexible Mandatory Access Control" (Remember SELinux, Trusted/CMW SOLARIS, Secure UNIX, GEMSOS, Multics, etc etc ?)

    After all, as IBM put it many years ago, no application can be any more security than the hardware, operating system and middle-ware it depends upon!

    Yes - we have all seen the attempts at getting the USA's Congress to enact cybersecurity bills - with no result! meanwhile in other industries, legislation/regulation for safety and security has been normal, e.g. pharmaceuticals, car industry, air transport and on and on - BUT NOT for the IT industry - on which all national critical infrastructure depends in the age of the digital economy.

    Perhaps the great US Senator - Senator Sam Nunn - was right some 18 years ago when he said that the USA would only wake up after there is an "electronic Pearl Harbor".
    • Blame the government?

      Are you really foolish enough to think any government would really step up to the plate without leaving back doors in the system so they can get in, therefore leaving backdoors for the bad guys?

      Did you not read the first line in the article, "The NSA is in our in-box"? Do you really think European governments aren't spying on whoever they need to? (the NSA just got caught. The Europeans aren't typically that sloppy)

      Even if Congress passed a law, do you think the bad guys would care? By the time it was passed do you really think technology wouldn't have surpassed anything in the law?

      Stupidity knows no bounds. I'm from the government and I'm here to help. That ought to scare you to death.

      You might want to remember that until a couple years ago, using anything over 16 or 32 bit encryption was illegal to export outside the US. Congress didn't change that until years after the law should have been changed.

      And you expect them to do anything intelligent? You must be from another planet where elected officials actually do something for the people, or you live under a rock.
  • Typical average human

    The average human is a computer illiterate who requires a computer expert to setup their computer for them. This is being offered by retail stores at big prices; especially for AV software, even though there's Microsoft Security Essentials (free) and Windows Firewall Control ($10 bucks). These prices repel customers (most of which are computer illiterates) and the customer just blindly uses the computer, creating the PEBCAK threat.

    Until retail stores offer these services at lower cost OR every household has an IT expert (perhaps through high school education), there's barely any likelihood of this improving. Noobs rule this planet, and businesses are busy exploiting the idiocracy.
  • Shame on you! Report shows users lazier than ever about security practices

    They can be lazy when Microsoft Windows does the updates for you. Automatic updates is turned on by default, antivirus is installed by default, built in firewall is installed and turned on by default. A user would need to go out of their way to turn any of these options off. Unlike linux where the security hole telnet port is just wide open inviting hackers in. Given this comparison we can say its linux users who are lazier than ever about security.
    • Every time I catch you posting lies, I will respond with facts.

      11.5% of Windows 7 computers with anti-malware software installed are infected.
      4.5% of Windows 8 computers with anti-malware installed are infected.
      Less than 1% of Android phones, the most widely used OS in the world, based on Linux, most of which do have antivirus software installed and have never been updated, are infected.
      Friend of mine is coming this morning to pick up her laptop with a fresh install of Linux Mint. Computer used to have Windows Vista on it, updated with antivirus software running. Said computer got so infected it could no longer even boot. And no, she does not go to shady websites, she is married, with two young children and very religious.

      Stop the lies Loverock and face reality.
      • That's funny

        You know your friend is going to have someone else wipe linux and reinstall Microsoft Windows Vista back on it. You can come back on here and post about it so I can tell you I told you so.
        • In your dreams, Loverock.

          That will happen right after you demonstrate any real competency with computers.
      • very religious

        Unfortunately religious web sites are notorious for being hacked and full of malware.
        • Maybe.

          Still doesn't make Windows more secure than Linux.