Malware, or malicious software, is a computer program written to infect a user’s device and take some action on that device without the user’s consent. There are so many variations that it would be nearly impossible to list all types of malware and their potential effects. Some of the more common types of malware are:
- Ransomware: completely locks out the user from their system unless a ransom is paid
- Spyware: collects data about the user’s activity and sends it back to the cybercriminal
- Worms: self-replicating programs that infect other machines upon their connection to infected devices
- Trojan horses: a program that masquerades as one with a legitimate purpose to encourage installation before allowing access to, or control of, your device
- Viruses: programs hidden within executable files that infect the device once the file is run and can then self-replicate and spread, similar to worms
Where Does Malware Come From?
Most malware is used to perpetrate financial crimes like identity theft, theft by deception, or even extortion. Other potential uses include corporate and governmental espionage, cyber warfare, and so-called cyber vandalism. These programs can be purchased directly from marketplaces on the dark web or written specifically by the bad actors. Still, once you lose control over all the activity on your device, the sky is the limit for potential vulnerabilities.
Especially in the current state of the internet of things, every single connected device is vulnerable to an attack from malware. This could mean anything from your cell phone, laptop, tablet, or even your smart washing machine or wifi-connected refrigerator. Cybercriminals can access other connected devices, create or take over administrator accounts, install additional malware, or compromise your credit cards and other financial information.
What Can You Do About It?
Now that we know what malware is and where it comes from, it’s time to talk about what we can do about it. You can clean infected devices, but learning how to prevent malware and viruses is much easier than addressing already infected computers. The most effective methods to prevent virus and malware issues are standard good cyber hygiene practices. The following tips are highly recommended methods to increase your security and help prevent data breaches due to malware.
Antivirus and Anti-Malware Programs
Many users aren’t even aware that their devices may be compromised without an alert from an anti-malware program or noticing something suspicious such as unexpectedly redirected web browsing, pop-up ads, or frequent system crashes. As such, the first step you should take to protect your network and devices is installing a quality anti-malware program. Unfortunately, one of the top blunders we see in this area is the failure to keep these critical programs up to date, so make sure to install all available patches and updates as soon as they become available.
Social Engineering Training for Employees
According to a Verizon study in 2019, over 29% of data breaches directly result from malware. One of the most common ways to perpetrate these attacks is through a technique referred to as social engineering. While social engineering-type attacks do not always aim to install malware, they are a threat vector that should be a major concern for your business therefore training your employees on how to identify and avoid falling victim to these scams is paramount.
Social engineering attackers attempt to convince employees to take some type of action that benefits the scammer. Those tasks may be installing a program, following a compromised link, or opening an attachment, all of which would result in malware attacks, or they may be requested to wire money, purchase gift cards as a payment method, or some other action that would result in a direct financial loss. This variety within the attack vector is the very thing that makes it so common and so dangerous, and it is exactly what warrants repeated training for your staff.
Practice Password Hygiene
Everyone hates restrictive password policies, but they work. Passphrases are better than passwords, and adding a mix of capital and lowercase letters, special characters, and setting minimum character limits all help ensure that strong passwords are in place. Add to that multi-factor authentication, different passwords for each major system, and scheduled password changes, and you have the makings of a seriously robust password policy.
Encouraging the use of a password manager will help your employees manage multiple passwords much more securely than the old method of handwriting them on hidden scraps of paper or in notebooks that can be easily lost or stolen, and these password managers can themselves be tied to multi-factor authentication or biometric security features to enhance their own security.
Embrace the Principles of Least Access and Network Segmentation
This is a standard cybersecurity practice, and it doubles as a great defense mechanism when you’re looking for how to prevent malware and viruses from attacking your operating systems. Your business network should be separated into segments with its own security features and their own password access. In addition, only those who truly need access to specific segments within this network should be given access. That limits the number of employee and administrator accounts that can access a given segment. Furthermore, it enables your tech support staff to more easily see if an existing account’s permissions are abruptly changed without their intervention or new accounts with high-level access suddenly appear – both major signs of a breach.
Follow Email Security Best Practices
Nothing gives IT personnel a bigger headache than suspicious email. Too restrictive of an email firewall results in complaints, and a too lax policy can result in well-meaning employees clicking links and opening attachments from cybercriminals. The ensuing chaos can completely shut down business operations.
Never open an attachment from a sender unless you expect to receive it, even if you believe you know the account it was sent from. Malware in place on an unknowing sender’s computer can do things like send an email, add attachments, and more, all without the knowledge of the owner. When in doubt, contact the sender directly through means other than email to verify the message's authenticity and any links or attachments. Remember that email addresses can easily be spoofed, so they may not be from who you believe them to be, even if the name is properly displayed. A warning added to all messages received from external senders is also a very beneficial and simple step. That message appearing on an otherwise seemingly internal email is a great way to detect a spoofed sending address.
While no security posture is foolproof, you want to do your best to set up your employees, your business, and yourself for success. For other small business tips on a wide range of topics, subscribe to our small business newsletter.