04/11/2014

By Chris Boyd, Malware Intelligence Analyst, Malwarebytes


The increasing number of start-ups in Britain, and the fact they often operate with minimal budgets and resources, makes for a target-rich environment for cybercriminals.

Figures also indicate a worrying naivety towards the importance of IT security. For example, a recent survey by the Federation of Small Businesses (FSB), found that over four in 10 of its members were victims of cybercrime in a 12 month period with the average cost being around £4,000 per organisation. This is £800 million in total. One in five SMEs also identified it has taken no steps at all to protect itself from cybercrime.

The problem of falling foul of cybercrime is greater than just an inconvenient few hours of downtime. Today’s malware is smart and built for purpose. It can remain hidden on a SME’s networks and devices for long periods of time, transmitting sensitive data such as bank details and intellectual property back to shady individuals. Not only this, but should such a breach become known by customers, the reputational impact can be long lasting.

Many CIOs and IT departments aren’t aware of the inefficiencies of traditional anti-virus (AV) software when it comes to identifying malicious software. Criminals innovate at break neck speed and with malware’s ability to adapt in order to stay undetected (roughly 50,000 variants per day), it is almost impossible to stay on top of each and every emerging threat. This is especially relevant given the increase in the use of social engineering techniques being used to trick unsuspecting employees to download malware by representing it as familiar content.

The exploit approach in particular has become increasingly commonplace. Criminals abuse vulnerabilities in common software applications such as Internet Explorer, Java, Adobe Reader and Microsoft Office and use these to access a target machine with absolutely no knowledge of the breach. A recent example of this occurred when a wave of targeted emails with malicious PDF attachments, claiming to be invoices, were sent out to thousands of people. Those with any version of Adobe Reader which had not been recently updated were vulnerable to infection.

But while this might all sound scary, there are some relatively simple steps that small business can take in order to keep both employees and the broader business protected from day one. These are:

• Follow government advice: The UK government launched a new Cyber Essentials standard on June 5th of this year. It offers a set of basic technical controls for organisations and has been designed in collaboration with Information Assurance for SMEs as well as being backed by the FSB.

• Educate: A critical part of any security strategy – and particularly in those with BYOD policies – this will ensure employees are more aware of the ways they could compromise company security. Empowering select senior staff to share appropriate information with others to help build best practice and warn of potential upcoming attacks will also ensure that all employees are aware of what actions are or are not acceptable.

[/b]• Take a layered approach:[/b] Using complementary security software can significantly increase protection both against older, more traditional viruses and some of the newer, shape-shifting malware and exploits. An anti-malware and anti-exploit system used alongside an AV, in addition to regular updates and patching, will greatly enhance protection and reduce the chances of infection. Similarly, a good spam filter will help prevent scam emails.

• Consider employee access rights: Limiting control is a simple step which can minimise the chances of data breach. This can either be implemented through the User Access Control that comes with the Windows platform (Vista and above) or limit staff access online so employees only have access to the websites they need to do their job efficiently.

[/b]• Implement a security policy:[/b] Putting an overarching framework in place limits threats from staff, malicious actors and accidents. This should be based around key principles which govern IT usage across the organisation and drill down into the specifics of things like the computing environment, physical security, data security and use of specific systems.