Grit your teeth and let your computer update itself. That’s the advice of security experts, who say consumers should welcome those updates because they serve a crucial purpose.
In a world where computers and the software that runs them are under near-constant assault, updates allow companies like Microsoft, Apple and Google to keep customers safe – to the annoyance of many users.
But too many consumers turn off updates or refuse to install them when they pop up, either because they like their programs as they are, or because they fear the updates themselves may be malicious, or simply because it’s too much work or downtime.
A study by the Pew Research Center in January found that 14 per cent of consumers never updated their smartphone’s operating system and 42 per cent waited “until it was convenient”.
Microsoft significantly changed its update model with its Windows 10 operating system by allowing for automatically installed updates, with some flexibility about timing on the part of the user.
Major upgrades can only be deferred for 180 days, with a 60-day grace period. And in a change from the past, its weekly security patches are now bundled together, whereas it used to be possible to choose which to install.
As attacks increase, companies are increasingly pushing out updates.
“Apple used to only update their software once a year and now they do it monthly, mostly for security patches. Microsoft used to be able to go a year for a big update,” said Daniel Ladik, a professor who specialises in digital marketing at Seton Hall University.
Those ever-more-frequent updates also often include a mix of both security and general software changes – to the frustration of users.
They complain some updates force them to reset preferences or that the updates cause crashes. The frequency and glitches have given updates a bad name, leading some consumers to ignore these persistent reminders.
Sometimes settings change, “so suddenly you’re getting push notifications even though you had them turned off so you’ve got to go back in and reset everything,” said Ladik.
‘No-one wants to be interrupted’
That’s the challenge for the technology industry: To keep consumer data safe, software makers need to convince users to constantly maintain their programs. But the more they interrupt consumers, who are increasingly tethered to their smart devices, the less these consumers want to play along.
A Google survey of security experts and regular web users in 2015 found a wide gap between the two when it comes to updates. A full 35 per cent of experts – but only 2 per cent of non-experts – said installing software updates was one of their top security practices.
Google thinks it’s less a reluctance to install updates and more just not wanting to be hassled.
“No one wants to be interrupted in the middle of doing a task they’re concentrating on to pause and deal with something totally unrelated,” said Parisa Tabriz, a Google Chrome security expert. That’s why the Google operating system is automatically updated, she said.
Grady Summers, chief technology officer with security company FireEye, thinks the fear of installing something that will crash a system or brick a device is overinflated, especially compared to the danger of getting hacked.
“The risk is minuscule compared to the risk you run by not patching. Companies like Microsoft and Google extensively test updates for compatibility. Unless you’re running very specialised software, you shouldn’t be concerned,” he said.
This leads to a mismatch between security concerns and consumer concerns.
Ladik tends to be of the ‘if you’re unsure, don’t do it,’ school of thought, figuring that for most devices he can skip somewhere between three and five updates before they stop working.
That outlook drives security professionals to distraction.
“The inconvenience experienced from potential changes due to patching is a fraction of the hassle involved in recovering from a compromise. Take the medicine, it’s far better than the disease,” said John Bock, a vice president of application security at Optiv, a computer security company.
Users don’t always see it that way. “Sometimes the medicine is worse than the disease itself,” said Otero.
To his mind, updates make sense for businesses, because they have a tech staff and can test systems when they install updates.
Consumers don’t have that luxury. So he often waits a few days when an update comes out, keeping an eye on what others are writing online about the new code.
“Sometimes you’ll go on and see a couple of hundreds of people saying the same thing – ‘Don’t do it! It will break!'” said Otero.
Security experts say the reality is that most people don’t remember to update. And waiting is becoming increasingly less safe.
One solution would be for companies to separate security updates from program updates.
That would let users choose security immediately but give them control over when they want to automatically update other aspects of programs or operating systems, said Cooper Quintin, a staff technologist with the Electronic Frontier Foundation.