One of the issues that owners of SMEs has to deal with as far as their IT goes is that of malware – i.e. software that is specifically designed to “act badly” and damage your data and your business. Whereas historically malware was designed to lets hackers “show off” – “how far can we make this software spread, and how much damage can we do?” – these days malware is typically published and distributed by criminal gangs in order to provide them with a revenue stream. That revenue either comes from ransomware (putting your data beyond use until you pay a ransom), or by using your computer’s resources without your knowledge to send spam, or push other malware – i.e. using your computer’s resources for free, rather than having to pay for them themselves.
Malware is just software, and that means it needs to be installed on a computer in order for it to do anything. Most protective efforts related to malware are therefore based on the principle of stopping the malware from getting installed. The reality is though that no one is deliberately going out there and buying and downloading malware – people have to be tricked into installing it.
The Four Rules of Cybersecurity
There are four rules of cybersecurity that, if you follow them, will pretty much guarantee that you can keep yourself safe from cybersecurity threats. We talk about them a lot in this blog, and other reports that we publish. They are:
- Keep your operating system and applications up-to-date (patched),
- Use strong passwords and do not reuse passwords,
- Make backups, and monitor your backup health,
- Do not click on email attachment and links, unless you really have to – aka “email hygiene”.
Of those four, the first three of them are down to you as a business owner, and the last one – email hygiene is down to your employees. Before we look at that, let’s look at why the first one – patching – in particular keeps you protected from malware.
The key word in the introduction above is that people have to be “tricked” into installing malware. Whilst some malware does work by “poisoning” search results in order to trick people who are trying to install legitimate software into some malware-infected version, the vast majority of infections work by exploiting bugs or other weaknesses in software that is already installed on your computer.
When delivering malware by email, what the malware author is looking to do is betting that when you click on “SalesInvoice001.pdf” or similar, you are running a piece of software on your computer that has a bug in it that rather than just showing you a PDF, some part of the malware also runs and infects itself. Because sending email is essentially free, malware authors can send out millions of pieces of spam email with the infection in it, just hoping one of those millions of recipients happens to both a) open the attachment, and b) have a buggy version of either Windows/macOS and/or their PDF viewer installed and/or some other piece of software that can be exploited.
Software engineering is a tremendously difficult discipline, and it is impossible to produce bug-free software. Some of those bugs will be of a type that can be exploited by malware, but over time those bugs will be fixed. Logically then, there will always be times when you have software installed on your computer that is exploitable – as we cannot produce software that has a 0% risk of “exploitability”. However, if we keep our software patched, we keep the “infection window” as small of possible. Yes, we’ll always have a risk of infection, but we want that risk to be small.
In particular, it is so critically important to keep our operating systems patched to the most current version – regardless of the type of operating system. It is so important to keep Windows, macOS, and even iOS, and Android patched. A corollary is why this is so important not to use very old operating systems that are “out of support”. This “out of support” just means “no longer being patched for security updates”. If you use old operating systems, like Windows 7, you are simply asking to be infected.
As mentioned before, keeping everything patched is your problem as the owner of the business. Employees can manage to “ruin” this best laid plan simply by not following good email hygiene.
Emails, from the malware authors’ perspective, is the most efficient way of propagating malware out into the wild. Firstly, as mentioned before it is so cheap as to be considered as having no cost, and secondly every business likely as not uses email. Therefore, malware authors have an army of operators out there, each of which has a non-zero chance of installing their malware on a computer.
The trick then is to take your employees out of the loop, still appreciating that they need to use email to do their job. You can do this by teaching good email hygiene – basically just teach them not to open email attachments or click on links within emails unless they are absolutely certain what it is. There is nothing that cannot be delivered over email that cannot be verified with a phone call or text to the original author.
What has tended to work for us in the path is to build a “security culture” within the business that very clearly says that it’s better to cause a little frustration to a customer or partner by not fully trusting an email than it is to wipe out the whole business by blithely opening any and every email that arrives in staff inboxes.