3 crucial security steps people should do, but don’t

Cybersecurity could be as easy as 1-2-3.

The problem, though, is that people have to want it.

In new research conducted by Malwarebytes, internet users across the United States and Canada admitted to dismal cybersecurity practices, failing to adopt some of the most basic defenses for staying safe online. And while some of the fault lies with the public, some also lies with the cybersecurity industry, which, according to the same research, has released products that people do not understand, do not trust, and, most concerningly, do not use for their intended benefits.

For our latest report, “Everyone’s afraid of the internet and no one’s sure what to do about it,” we surveyed 1,000 people, aged 13 to 77, about their cybersecurity and online privacy beliefs and behaviors. When asked specifically about the tools and methods that people use to protect themselves online, we found, disappointingly, that:

  • Just 35 percent of people use antivirus software.
  • Just 24 percent of people use multi-factor authentication.
  • Just 15 percent of people use a password manager.
  • Just 35 percent of people have unique passwords for most or all of their accounts.

There’s no denying the ugly truth here: These numbers are too low.

Optimistic interpretations do exist—perhaps some members of the public unknowingly have antivirus protections on their devices or they perhaps use device-provided password managers without knowing the name of the technology behind it—but other statistics point to a lack of trust and a high rate of apathy towards cybersecurity defenses overall.

For everyone interested in meaningful, simple cybersecurity, here are three things you can do right now.

1. Create and store unique passwords for each account with the help of a password manager

Strong passwords are a two-part problem: They must be unique for every online account, and they must be remembered.

Creating strong, unique passwords is simple enough, as any person can throw a cat at a keyboard and likely fulfill the password requirements for most online accounts. Uppercase and lowercase letters? Special characters? Numbers? No addresses, pet names, or usernames? These specifications are no match for “vn;aeo&d8ey38dD” (No cats were harmed in the creation of this password).

But remembering that password—and remembering every password like it—is physically impossible, as the number of online accounts and associated passwords that the average person can recall from memory is just a handful. 

In fact, there is plenty of research that shows that people have trouble remembering unique passwords for just 13 separate accounts, and that the people have far more trouble remembering 4 – 6 passwords compared to 1 – 3.

But the modern internet doesn’t care about mental limitations. Instead, it demands an increasing number of accounts and passwords to manage for each person. According to research from the password manager LastPass, the average small business user has 85 passwords, and according to older research in 2015 from another password manager, Dashlane, an average user then had at least 90 accounts.

The results of this constant tension are reflected in Malwarebytes’ latest report:

  • 24 percent use the same password, if possible, across all or most accounts
  • 41 percent have a few passwords they use across accounts

The most obvious solution to this first part of the password problem, then, is a password manager. Password managers can create and store strong, unique passwords for all your accounts, and they can interact directly with web browsers so that you don’t need to individually open the password manager app every time you log into a service.

Unfortunately, Malwarebytes’ research shows that password manager use is exceedingly low:

  • 15 percent of all respondents use a password manager
  • 9 percent of Gen Z respondents use a password manager
  • 18 percent of non-Gen Z respondents use a password manager

Get a password manager and start using it specifically to create and store unique passwords across all your accounts. You physically cannot practice strong password security without one (unless you go the paper-and-pencil route, which is an entirely different conversation).

But once you have a password manager, don’t stop there…

2. Use multi-factor authentication (MFA)

There are two statistics that matter for multi-factor authentication (MFA).

The first statistic was released in 2019, when Microsoft’s Group Program Manager for Identity Security and Protection Alex Weinert said: “Based on our studies, your account is more than 99.9 percent less likely to be compromised if you use MFA.”

The second statistic was released this month, when Malwarebytes found that only 24 percent of people use MFA. That number drops to 16 percent for Gen Z.

MFA tackles the problem of password abuse in a very different way than password managers and password creation.

MFA does not care if your password sucks. MFA will not make you use any special characters or numbers or uppercase or lowercase letters. MFA doesn’t require you to “remember” anything.

Instead, MFA stands between your account and the abuse of your password by requiring you to enter another form of authentication—other than a password—to log in. That means that even if a cybercriminal has your login information for your bank, that alone would not be enough to gain access. Instead, your bank would ask for a second form of authentication, which is typically a six-digit passcode that is sent to your device through a text message or email, or it is generated by your device with a separate app.  Once you enter that passcode, only then are you allowed entry.

MFA is available on nearly every single critical type of online account today, and it should be used for the services that hold your most sensitive information, including your email, social media, and online banking.

3. Use antivirus

Ask a cybersecurity writer (me) how it feels to learn that just 35 percent of people use antivirus and you’ll hear an answer: “Not great.”

Ask the same cybersecurity writer how it feels to learn that just 17 percent of Gen Z use antivirus and you’ll hear a different answer: “Ah, sh*t.”

The public are not entirely to blame. As Malwarebytes discovered in its latest report, it is not that the public do not care about cybersecurity and online threats—it is that they do not know entirely how to stay safe, or how cybersecurity tools protect them.

As Malwarebytes found:

  • 41 percent agreed or strongly agreed with the statement: “I don’t fully understand how different cybersecurity products can protect me.”
  • 37 percent agreed or strongly agreed with the statement: “Cybersecurity products only really help with things like viruses and malware.”
  • 25 percent agreed or strongly agreed with the statement “There’s no point in using cybersecurity products since there are too many online threats.”

The cybersecurity industry should learn from this. We are failing to speak plainly about security tools, failing to explain how malware can be detected through its delivery in malicious websites that are blocked by online tools like BrowserGuard, and failing to show how digital consequences, like account compromise, identity theft, and credit card fraud, are strictly connected to well-known threats like credential stuffing and data theft. 

Particularly upsetting is that sometimes, even the users of online security and privacy tools have the wrong impression about those tools.

As Malwarebytes found, 22 percent of people use a VPN specifically to “help stop viruses/malware from getting on my device”—a function that VPNs do not provide(In rare circumstances, some malware avoids detonation based solely on IP addresses, but that is an exception for the average user.)

Antivirus works. We know you may consider Malwarebytes a biased speaker, but the fact still stands. Every year, Malwarebytes detects and removes millions of viruses, Trojans, adware infections, monitoring tools, and more from user devices around the world. Importantly, behind nearly every detection is an attempt to harm you, the user. 

Don’t fall for the easy path of apathy. Take three simple steps to stay safe.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


David Ruiz

Pro-privacy, pro-security writer. Former journalist turned advocate turned cybersecurity defender. Still a little bit of each. Failing book club member.