Maksim Kabakou - Fotolia

Security Think Tank: Can low-cost security defeat malware?

How should organisations address the need to keep software up to date with security patches without it costing too much or being too labour intensive?

A reasonable level of security can be achieved without much effort. Most malware continues to be reliant on people and organisations failing to put in any of the right defences.

However, low effort does not mean completely free. If you need to keep a close eye on the security budget, then an investment in time becomes crucial. Reducing your own personal risk, or that of an organisation, requires a certain amount of time and effort – but perhaps not as much as you expect.

So what are some the key steps any individual or organisation should be taking to defend themselves against malware and ensure their software and systems are up to date?

Items that may cost you money:

  • Use an operating system that is still supported – and keep it up to date with the latest software updates from the manufacturer.
  • Have an effective anti-malware solution installed. Look for a product that openly states it uses artificial intelligence (AI) to detect and block over 99% of threats. Some legacy products allow through more malware than they block but are still sold as though they are effective. 

Items that mainly take a small amount of time:

  • Backing up is the process of taking a copy of your most valuable information. If you back up your information and store it in a safe place (not connected to the original location), you have the possibility of being able to restore and recover the information as a final resort. Remember to take a copy of your information regularly.
  • Have an administration account that you only use for installing software or adding users, then remove your administration privileges from any account you use for browsing, email and other regular activities. Most forms of malware cannot install if the person logged in has no installation privileges.
  • Avoid connecting devices together. Networking, or connecting devices together so they can “trust” information from each other, is no longer a good idea. Most organisations now look at keeping each device as individually secure as possible. Cloud services can be used to help share information and applications between devices with lower security risk than most traditional networks.
  • Use well configured firewalls on devices (and networks if you have them). Firewalls help to keep attackers out of networks and devices. Some device operating systems include firewalls as standard. Make sure you have one in place that it is switched on and configured correctly, so only the information you really need can go in and out.
  • Think before you click. Whenever you receive a link or file, be sure you know and trust the source before clicking on a link or opening an attachment.
  • Take every opportunity to learn. A quick read through Isaca’s certification training materials will show that practical and effective security advice is not hard to come by. However, too often, that advice is not acted upon.

At a recent conference, I spoke with a small business owner who asked: “What can you do to protect yourself against this new virus?” The natural first question from me to ask what operating system he was on.

“Windows 7,” he replied. My advice was to upgrade to an operating system that is still actively supported and patched.

“I know, but what if I don’t want to?” said the business owner.

I explained he would always be at greater risk of malware infections, but there were a lot of steps to take:

  • If he safely backed up (took a safe copy of) his information, he could at least restore his computers after any successful infection. Did he back up his information and keep that backup offline? No. Did he want to do that? No. He liked his backup attached to his network where he could get to it (and so could most malware).
  • He could run an advanced AI anti-malware solution – but it would cost him a few pounds per month, per machine. He didn’t want to do that – it seemed expensive.
  • He could more securely configure his computers so they would not easily spread infections should one of them be compromised. As that would take him a few hours, he wasn’t that interested in doing that either.

The trouble we find with businesses without a full realisation of the risk cyber threats pose to them is that everyone wants security to just be something that requires no money, effort or time – and these days, that is not the case. In fact, all those cyber attackers rely on people like my friend to leave large and easy security gaps in place.

Effective security can be achieved with relatively little time and money. It just requires taking the time to understand and follow basic advice. After all, any organisation that had already followed the steps listed in this article would not have been caught unprepared by the WannaCry ransomware.

Read more on Hackers and cybercrime prevention