No matter how rigorous an approach you take to security in the enterprise, your biggest threat to security will always be your users.

Though the so-called “user threat” has been well-known by IT professionals since the dawn of the computer, a new study commissioned by RiskIQ finds that the problem is extremely pervasive, and still poses a serious threat for consumer and enterprise app usage.

RiskIQ surveyed 1,000 respondents in the United States about their behavior within mobile apps, looking into everything from their propensity to click on ads promoting apps to the reuse of passwords across different apps. What they found, perhaps unsurprisingly, is that many users’ habits are less than secure. 

More than one third (36%) of respondents say they don’t consider an app’s details, while 47% never or only occasionally review an app’s privacy policy and/or permissions requested before downloading that app. Too, 60% of users have clicked on an ad or a link in an email promoting an app, movie, or game.

It seems that many users have a “click first, ask questions later” approach to downloading and using apps. Reinforcing this assertion is RiskIQ’s finding that 28% of respondents had mistakenly installed an app thinking it originated from a trusted source, later finding out that the app was not indeed trusted. With 76% of users having more than 10 apps on their phones, there’s a lot of room for error by the average user. 

All of this is to say a few things. For one, companies developing apps (or paying vendors to develop apps for them) absolutely must make security a priority. Designing apps to be ‘watertight’ against today’s biggest security threats is essential. But that isn’t enough. Companies must also invest into regularly teaching security best practices to their employees. In the mobile app world, the best offense is a good defense.

At the end of the day, these same consumers who are making questionable application security choices are someone’s employees, too. As this survey shows, there’s no such thing as too cautious when it comes to mobile application security.