Survey Reveals Chasm between Users’ Concerns and Behavior

A recent Survey commissioned by ESET and conducted online by Harris Interactive from May 31-June 2, 2011 among 2,027 U.S. adults 18+ found a startling disconnect between user concerns about privacy and security and their actions on social networking sites.

To start, the study found that 69% of online social networking account owners are concerned about security on social networking sites, yet 1/3 of them have never changed their passwords for their social networking accounts and another 15% last changed their password more than one year ago.

Moreover, the survey revealed that one in ten online Americans with social networking accounts have reported that an unknown party gained unauthorized access to their social networking account to spread malicious links and comments. This is particularly alarming since unauthorized access can threaten account owner’s cybersecurity as well as that of their contacts—we’ve seen countless examples, including recent scams around the death of Osama Bin Laden.

The survey also found that 67% of account owners claimed that they were concerned about privacy issues, yet 55% of the account owners update their privacy settings less often than once every six months, if ever. This can be problematic. For example, Facebook makes it extremely difficult to know when you need to change settings because they virtually never advise users when they are making changes that may affect user privacy.

While 69% of account owners were concerned about security and 67% expressed concern about privacy there were other significant concerns reported as well.

• 37% of were concerned about someone creating a fake account in their name.
• 95 percent of social networking account owners accept friend/follower/connection request always or sometimes.
• 71 percent of social networking account owners are concerned that their personal information entered on social networking sites may be sold or shared without their knowledge for profit.
• 17% were concerned about their children using social networking sites.

So, what can you do to secure yourself and your contacts on social networks?

A common misperception seems to have many users believing that social networking safety and privacy is entirely outside of their control. This is not the case—you can easily improve your online security if you follow these simple guidelines:

#1: Be smart about passwords.

How important is it to change your social networking password on a regular basis and at what interval should you change it? This is actually a subset of the question of how often should you change passwords in general. The answer to this question depends upon a few factors.

Do you use the same password for your multiple social networking accounts, email accounts, and other online services? If you answer yes to this, then about once every 5 minutes is the optimal interval for changing your password. When you use the same password everywhere it only takes one Sony-style mistake to compromise all of your accounts. Remember, your passwords are on the Internet, and they are not entirely under your control. Is your password a word in any language? A number such as 12345. If so, then perhaps an interval of once every 10 minutes is appropriate. To put it simply, you can’t change your password often enough if you are using a poor password. For some tips on using good passwords I recommend that you refer to ESET Researcher Paul Laudanski’s blog “No chocolates for my passwords please!

Assuming a good password and no significant enemies, I am unaware of a scientific formula for the optimal period for password changes. In general I would expect for a service like Facebook, every three to six months will be sufficient, yet the survey found that 70% of social networking account owners have not changed their password within the last 90 days. Events like breaking up with a vindictive partner, finding that your computer or smartphone has been compromised, etc. would tend to mandate a password change sooner rather than later.

#2: Know your options when it comes to privacy, and check back often.

Facebook may report to the media that they are making a change, but often the change is gradually rolled out and secretly slipped past users. Facebook appears to deliberately use this approach to drive adoption of “features” they fear users will find nefarious. The reality is that with Facebook you probably should be checking your privacy settings every couple of weeks if you want a chance to keep on top of what Facebook may have changed in your account. Once again, Paul Laudanski has an excellent blog about Facebook privacy settings with best practices and tips to keep Facebook users safe. Don’t be fooled though, Facebook privacy has never been “set and forget” and is not likely to be anytime soon. As hard as you work to control your privacy, Facebook’s marketing department is working twice as hard to find new ways to share your data without informed consent.

#3: Know who your real “friends” are.

Be sure that anyone whose “friendship” or connection you accept is someone you know and trust. For the 11% of social networking account owners that indicated concern about the number of friends/followers/contacts they have, all I can say is that it is your choice and you have to make your own decisions. We can provide you with advice and guidance, but we can’t and won’t tell you who to associate with.

#4: When in doubt, seek help from outside resources.

For those of you concerned with your children’s use of social networking sites, I would highly recommend a visit to http://www.safetynetcc.org/, a collaborative cyber safety education program of the San Diego Internet Crimes Against Children Task Force and the San Diego Police Foundation.

Methodology
This survey was conducted online within the United States by Harris Interactive on behalf of Schwartz Communications from May 31-June 2, 2011 among 2,027 adults ages 18 and older, of whom 1,476 have social networking accounts. This online survey is not based on a probability sample and therefore no estimate of theoretical sampling error can be calculated. For complete survey methodology, including weighting variables, please email us here.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America