If you think that installing Anti-virus software on your office computer is going to protect you from the latest generation of malware, think again.
Every day, with over 230,000 new malware threats created and released online, we have watched the evolution of these programmes, from primitive adware, to being capable of fooling both the most tech-savvy user and the software designed to remove them.
Malicious software is an umbrella term used to refer to a variety of forms of harmful or intrusive software, which is generally used to steal or damage information. Malware is often used in conjunction with other kinds of attacks such as ‘phishing’ (obtaining information by confidence trickery) and social network sites (which can be mined for information useful to a hacker) to provide a focused attack on an organisation.
The problem however, extends past the product simply getting smarter. With more instances of malicious software being readily available to buy - or even rent - online, it seems that anyone with a Bitcoin account and questionable morals can easily extort a vulnerable or misinformed target if they view the payoff as worth it.
And largely due to this wider accessibility, InfoSec has been in the spotlight this year. From huge data protection overhauls, to media-covered ransomware and cyberattacks, the exploitation of digital security has undoubtedly drawn the world’s focus.
But this is one trending story that can affect anyone with an internet connection, and so it’s critical to make sure that everyone is aware of how easy it can be to leave your business open and vulnerable to the very real threat and implications of malware.
The best way to deal with malicious software? Don’t expose yourself to it. Being as strong as your weakest link is a phrase you hear a lot in IT, but specifically relevant when discussing your computer systems’ vulnerabilities to malware.
Malicious software is now far stealthier. Once you are exposed to it, it can lie dormant when sensing malware analysis software, replicating itself upon attempted removal.
As the user is unaware of any change in the computer’s immediate activity, threats can go undetected for extended periods.
The basics in virus and malware prevention have been ingrained in IT best practices since the 90s:
1. Don’t open that Windows attachment from an unknown sender.
2. Make regular backups and store them offsite.
3. Don’t use anyone else’s USB stick.
If your computer got infected like this today, then the chances are that it would flag with your security software and a standard removal tool would erase all trace of the 90s malware, with no long-lasting impact on your company data.
But even today, the basics are overlooked. Many pay-for-release Ransomware attacks could have been sidestepped if the company had a backup of their server elsewhere and the majority of initial personal information hits are still being sourced from phishing.
Don’t be too quick to dismiss that there might be a disconnect between your knowledge and your colleagues.
In 2018, malware is now a lot more complex. Used by organised crime syndicates and government agencies, the malware operation is now slick and well-monied, with hackers finding smarter ways to insert malware within legitimate software. The aim now is to infiltrate a programme which users will automatically trust.
One of the biggest examples of this was back in October 2017, when Adobe users received a seemingly legitimate Flash update from a licensed developer, which bypassed both Windows and Mac gatekeepers, resulting in malware being downloaded by thousands of users.
The modification of how malware is packaged means that criminals are also searching for previously unknown security vulnerabilities to infiltrate legitimate software.
Often released as a Zero Day Exploit, this leaves the legitimate company scrabbling to work on a patch to secure the software, but it can ultimately expose a vast number of systems to malicious software, along with a loss of trust and revenue for the company it is targeting.
How to Protect Your Business:
• Give your team the why. Explaining how malware is relevant to everyone and the implications of a breach should give everyone the motivation to remain switched on to suspect correspondence and updates.
• Make sure to install regular security updates and automate these across all business machines.
• Technology news can be crucial in keeping updated with emerging stories which are relevant to your information security.
With all the excitement in the news about big organisations facing security breaches, it can be easy to feel the disconnect between media coverage and how it directly relates to your own business. However, in 2017 the company Symantec released figures stating that 43% of all ransomware attacks were carried out against businesses with under 250 employees.
Along with crime rings looking for flaws in Flash Player, there are numerous other, smaller operations who are out there looking to infiltrate company websites with their malicious software. What is helping these attacks become more successful, is the current age in which small businesses operate.
Using less people-power, more small companies are relying on software to help them automate their CRM, mailing lists, workflow and financial processes. Along with this, comes the organisational widgets, various extensions and third-party software.
The problem with this love of automation is that employees are more willing to try new add-ons to save themselves time. A by-product of this is employees tend to automatically trust these developers.
Fundamentally this software is a good thing, but it is also a playground for malware threats for two reasons:
• The developer may knowingly insert malicious software into their own programme as a means to mine data or additional income through Adware.
• A legitimate developer can inadvertently leave itself open to malware insertion. This affects both the software company in breach, along with their customers using the add-on, API or extension.
Figures reported at the 2016 Cybercrime Symposium showed that although mobile malware made up just 1.06% of the total attacks, instances of SMS trojans, spy-phone apps, Shareware and Adware are all significantly higher than in previous years.
Having a mobile workforce is key for flexible working, so an increase in mobile malware threats is concerning, however inevitable.
Android is being targeted more frequently than iOS, however this doesn’t mean that by having a specific device will fully protect you against all attacks.
How to protect your business:
• If you are providing hardware, set a policy with regards to segregating personal and company information, preventing exposure to Malware threats during personal browsing activity.
• If you are providing hardware, issue devices with a usage monitor.
• Enable remote wipe.
• Automate software updates across all business devices.
• If your staff are using their own tech, store all your accessible company data within its own encrypted container.
If you'd like some help and advice on malware, anti-virus software or other cybersecurity issues, get in touch with Grant McGregor today on 0808 164 4142.