Akshay Bhargava of Malwarebytes discusses malware and why SMBs are a target.
When running a small business, there are a lot of things to focus on. Making sales, finding new customers and motivating your employees are among them; however, keeping your business secure from cyberattacks might take precedence over of all of them.
That's because if you fall victim to a cyberattack, you might be out of business altogether. A cyberattack on a small business can be crippling. Research shows that 60% of small businesses that are victims of cyberattacks go out of business within six months.
One specific type of cyberattack businesses need to be aware of is malware. Malware is an umbrella term that describes any malicious program or code that is harmful to a company's systems, said Akshay Bhargava, senior vice president of products for Malwarebytes.
"Malware seeks to invade, damage, or disable computers, computer systems, networks, tablets, and mobile devices, often by taking partial control over a device's operations," Bhargava said. "Like the human flu, it interferes with normal functioning."
We recently spoke with Bhargava about malware, how it can impact small businesses, and how artificial intelligence and machine learning are making it harder than ever to detect and combat this growing threat. [Are you in the market for internet security software for your company? Check out our best picks and reviews.]
The rising threat of malware for SMBs
Q: How does malware affect small businesses?
A: Small businesses are especially vulnerable to threats since they often don't have the resources for extensive security products or teams like larger enterprises. It's arguably more important for small businesses to protect themselves, since, unfortunately, when these organizations get hit with malware, it can cripple or end their business entirely.
In fact, 43% of data breaches are from small businesses, according to the 2019 Verizon Data Breach Investigations Report. This means SMBs have to be scrappy and do more with less.
The use of personal mobile devices for business use further complicates risks for SMBs. These devices provide cybercriminals with additional points of entry into an organization. Just by opening an email on a mobile device, unsuspecting employees can open the door for a critical breach, putting organizational information at risk, including customer and employee data.
Securing these endpoints with policy, protocols and appropriate tools for protection is absolutely essential. Many small businesses believe they are too small to be appealing targets for criminals, but the opposite is true. Cybercriminals often target these organizations because SMBs often lack sophisticated, layered security practices, making it easier to get to the sensitive data they hold.
Q: How are artificial intelligence and machine learning affecting the type of malware being used by cybercriminals?
A: Today, savvy cybercriminals have realized that they can leverage AI and machine learning to develop automated and evolving viruses. This enables viruses to morph and evade detection for longer periods of time as they spread throughout the network and infect new devices. Like a human virus, these are especially harmful when they "evolve," or change their code to become harder to combat and prevent.
Criminals are using machine learning and AI to do numerous things along the lifespan of an attack, such as gathering information on targets, impersonating approved users, performing the actual attack, and automating exploitation activity.
Q: Does this type of malware pose a greater threat to businesses than traditional malware?
A: Absolutely. This malware is much harder to detect in real time since it's always changing its signature. In order to detect these threats, we need to fight fire with fire.
At Malwarebytes, we already use a machine learning component that detects malware that's never been seen before in the wild, also known as zero-day. Additionally, other components of our software perform behavior-based, heuristic detections, meaning they may not recognize a particular code as malicious, but they have determined that a file or website is acting in a way that it shouldn't. This technology is also based on AI and machine learning.
Protecting your SMB – and you – from a malware attack
Q: What can small businesses do to protect themselves from hackers and malware?
A: Despite the significant power SMB vulnerabilities afford to attackers, there are a few simple remedies to prevent them from ever becoming problematic:
- Use a layered security approach. Deploy complementary products that leave no gaps for cybercriminals to exploit. Take a holistic look at your current security tools and evaluate how to eliminate any gaps using a layered security approach. You should be reviewing your organization's specific needs, but you will likely want to consider things like endpoint security, encryption, firewalls, and identity and access management.
- Patch your systems. Basic maintenance can ward off many issues. For example, cybercriminals can easily exploit inherent software vulnerabilities in the Windows operating system. These criminals monitor websites for the latest common vulnerabilities and exposures (CVE) and then develop software exploits that take advantage of the vulnerabilities.
- Train your staff. Invest in regular, ongoing training for your employees to help them recognize the latest security threats, including phishing emails and other social engineering tactics. In addition, make sure your first responders, or those with access to sensitive customer or proprietary data, are well versed in cybersecurity best practices.
Q: Why do cybercriminals focus on small businesses?
A: SMBs are often more vulnerable than larger enterprises because they typically lack the resources and bandwidth to hire dedicated security teams. While they aren't as lucrative as enterprise targets, they are significantly more vulnerable and offer a significant amount of data compared to consumer targets. Additionally, small business owners are more likely to pay ransoms, since they may not have backups of their critical data.
Small businesses may also be accessed as gateways into larger enterprises or networks of other small businesses, unlocking bigger prizes for cybercriminals. For example, criminals were able to deploy malware on a customer support product of Inbenta Technologies, which then enabled them to compromise personal data and payment details for thousands of Ticketmaster customers.
Unfortunately, with fewer resources, small businesses are also less likely to catch the criminals targeting them. Criminals feel like the risk versus reward ratio is at a premium when it comes to SMBs.
Q: Besides malware, what other types of cyberthreats are small businesses most vulnerable to?
A: To be clear, there are many different types of malware, including ransomware, worms, Trojans, cryptomining, spyware, adware and malvertising. Some of these are truly virulent, while others may simply cause a drain on your systems – but all should be addressed quickly to ensure businesses can continue running efficiently and safely.
Other types of cyberthreats that small businesses should be prepared to address include distributed denial-of-service (DDoS) attacks, insider threats, and employee mistakes and errors.
Businesses have become prime targets for criminals, according to the Malwarebytes Cybercrime Tactics and Techniques Report. Compared to Q1 2018, business detections of threats have skyrocketed 235%, and according to Accenture, malware is the No. 1 threat to organizations, followed by web-based attacks, denial of service and malicious insiders.
Q: What piece of technology could you not live without?
A: My phone. Being in security has conditioned me to be leery of donning too many wearables like an iWatch, but I can't live without my mobile phone. Like many, I work around the clock. My device is a part of me, connecting me to both personal and corporate applications.
Of course, this is a concern for our chief information security officer, because my device represents a door into Malwarebytes, and it needs to be secured. Every executive I know carries at least one mobile device at all times.
In fact, the U.S. averages eight networked devices per person, a number expected to climb to 13 by 2022. Each one of these devices represents a doorway into their personal and business lives, so they must be secured.
Q: What is the best piece of career advice you have received?
A: There are many ways I could answer this question – from how I coach employees to my "learn by doing" mantra – but the best advice I received early in my career is simply to take care of your people.
The well-being of your team is the secret to being a great leader. Your employees need to feel secure, inspired to do great work, and understand how they contribute to the overall goals of the organization. They also need to be given the runway to succeed.
Q: What's the best book or blog you've read this year?
A: I enjoyed Thinking, Fast and Slow by Daniel Kahneman. The book is about understanding the intricate workings of our own mind and biases. Kahneman covers how human beings have two fundamental parts of the mind: one that has evolved to operate instantaneously but can be prone to biases, and another that is slow and takes effort to be engaged.
The "slow" thinking provides a practical approach when making critical business and personal decisions. This plays into my role as a security products executive and as a business executive. When I consult board members or other executives, we all knowingly (or sometimes unknowingly) bring our biases into the discussions, which is important to acknowledge and work around. Just being aware of my cognitive biases has helped me reshape how I approach challenges and people.
I can tell you this frame of mind has helped me in my personal life as well. I've found it increasingly useful not to just blurt out the first thing that comes to my mind when my wife asks me a question. Unfortunately, she has started reading this book too, so she may figure out my new tricks.
Q: What's the biggest risk you've taken professionally? Did it pay off?
A: One of the biggest risks that I've professionally taken was moving from a large established enterprise to a small private organization. The enterprise I left is one of the largest software companies in the world, with clear processes, cash on hand and intellectual property to weather economic storms.
The smaller organization that I went to was clearly growing at a substantial rate, but despite the growth, it had large, well-funded competitors. Still, there was untapped potential there that I knew I could help unlock. There were many unanswered variables that I knew I wouldn't uncover until I became a part of the smaller organization, such as how my team worked together, how to grow the team or the real culture of the organization.
The journey of working hard, taking full ownership, building a strong culture and team, and seeing the direct contributions of my efforts were the most joyous rewards from that move. The private organization gave me an opportunity to expand my sense of responsibility, learn more about the extent of my own abilities, and gave me a satisfying sense of achievement I had not experienced previously. That journey is still underway as we continue to aggressively grow and capture market share from the larger players.