Security Experts:

Many High-Risk Users Have Bad Security Habits: Google Survey

High-risk users are aware that they are more likely to be targeted by hackers compared to the general population, but many of them still have bad security habits, a Google survey shows.

High-risk user groups include business executives, politicians and their staff, activists, journalists and online influencers. Individuals in these categories are more likely to be targeted in cyberattacks due to their occupation or their online activities.

Google has commissioned The Harris Poll to survey 500 high-risk users from the United States; 100 people from each of the five aforementioned categories.

The results of the survey show that 78% of high-risk users are aware that they are more likely to be targeted by hackers compared to the general population, and 65% of them are more concerned about their accounts being hacked today than they were one year ago — a majority are mainly concerned about their work account being targeted.

Nearly three-quarters of respondents have been targeted in a phishing attack and 39% admitted having their accounts compromised. In many cases the phishing attempts relied on personal details, such as their name or organization, to increase the chances of success.

While roughly three-quarters of high-risk users believe their work and personal accounts are secure, with 91% of them claiming that they have taken steps to secure their accounts, the survey shows that many of them actually have bad security habits.

Specifically, over one-third of respondents admitted not using two-factor authentication, and 71% use the same passwords for at least some accounts. Only half of them use a security key for two-factor authentication, and 76% admit using their personal email accounts for work-related communications, which is generally considered an unsafe practice.

The survey shows that high-risk users are more likely to take steps to secure their accounts as a result of an attack against a colleague than an attack aimed directly at them. However, 60% of politicians admitted not making any significant changes to how they secure their accounts following the 2016 attack on the Democratic National Committee, and over half of business executives have not made any changes following the 2017 Equifax breach.

A vast majority of politicians are concerned about their work accounts getting hacked, with damage to their reputation cited as the top concern. Nearly two-thirds of politicians believe they would not fall for a phishing attack, and 81% believe their work accounts are secure. Nearly half of them have a security advisor who helps them ensure their online accounts are secure.

Journalists are the least concerned about their accounts getting hacked and they are most likely to believe that they would not fall for a phishing attack. On the other hand, this category of high-risk users also had the most respondents admitting falling victim to a phishing attack, and of all the high-risk user groups they are the least aware of the best practices for securing accounts.

As for business executives, a vast majority are concerned about attacks on both their personal and work accounts, and the thing they fear most is their personal information being stolen. Unsurprisingly, they are also concerned that a successful hack could have a negative financial impact on their organization. Nearly three-quarters of the executives who took part in the survey said they had been targeted in a phishing attack and one-third had their account compromised.

Google released the results of the survey just as it announced that it has simplified the enrollment process for its Advanced Protection Program, which adds an extra layer of protection to the accounts of high-risk users through the use of security keys.

Related: Password Practices Still Poor, Google Says

Related: Google Expands Use of Password Checkup Tool, Unveils New Privacy Features

Related: Many Users Don't Change Unsafe Passwords After Being Warned: Google

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.