If you suspect the computer you use at work is much less secure than the one you use at home, you may be right. A new study suggests that security vulnerabilities on workplace machines affect Mac and Windows users alike, mostly because operating systems and applications are infrequently updated.
The good news, though, is that some software protects users much more comprehensively than others. If you use Internet Explorer, for example, the study suggests that you ditch it for Google Chrome or another browser that automatically updates itself. The bad news is that many workplaces don't let end users install or update software, leaving such tasks to IT staffers who may or may not get around to them.
This information comes by way of the 2016 Duo Trusted Access Report (free, but signup required). Michigan-based Duo Security offers security solutions for businesses, and as such, it's able to gather a lot of data from its clients (with permission, naturally). The company's two-factor authentication program collected data from 2 million workplace computers over the course of the last year, from companies ranging from small businesses up to huge corporations. The results were not encouraging.
First things first: Neither Mac nor Windows machines are regularly kept up to date. Duo found that 53 percent of Mac systems ran either of the fully patched, latest two versions of the operating system, OS X 10.11 El Capitan or OS X 10.10 Yosemite — a majority, but not by much.
Yet that figure is better than the 35 percent of workplace Windows machines that were running fully patched Windows 10 or Windows 8.1. (To be fair, only 2 percent of PCs ran the no-longer-supported Windows XP or Windows 8, and presumably most of the unaccounted-for 63 percent ran Windows 7.)
Keeping computer software up-to-date often grants useful user-interface features, but more importantly, it patches security flaws that software makers often make public in order to prevent further mistakes. It's not hard to see how a cybercriminal could take advantage of that arrangement.
Regardless of your operating system, there's a fair chance that your primary Internet browser is out-of-date. Considering how many malware attacks originate online and attack known vulnerabilities, that's not promising. Machines with Google Chrome installed are pretty on-the-ball: 82 percent of them have a fully updated Chrome browser, probably due to the fact that Chrome keeps itself updated by default.
As such, one of the Duo report's recommendations is that users "switch to browser platforms that update more frequently and automatically, like Google Chrome." But bear in mind that it is possible to manually set almost any web browser, including Mozilla Firefox and Microsoft's Edge and Internet Explorer, to update automatically.
For Firefox, the fully updated rate was 66 percent, and it was 58 percent for Internet Explorer and Edge. About one-quarter of Windows users were running versions of Internet Explorer that don't get updates anymore, such as IE 7, 8, 9 (except on Vista) and 10.
As always, Adobe Flash Player and Oracle's Java platform present huge security risks for web browsers, and relatively few benefits in return. Critical security flaws are constantly being found in both pieces of software — especially in older versions — and yet only 40 percent of Flash installations and 28 percent of Java installations were up-to-date. Fortunately, only 22 percent of workplace systems still had Java installed. About 80 of them maintained Flash Player, however.
While these vulnerabilities may sound disastrous, it’s actually quite difficult to tell how many, if any, of the 2 million machines had been compromised as a result. (It's probably not zero.) Countermeasures such as installing antivirus programs can mitigate a lot of potential damage, and if you don't expose yourself to any malware, your chances of compromising your system are fairly low.
For business users, the best course of action is to simply check to make sure each of the programs you use is up to date. If your IT department is in charge of that kind of thing, just hope that it knows what it's doing, and maybe save your visits to questionable websites until after work.