Many antivirus software providers claim that their product will protect you from digital woes. This is only partly true, so it is important for entrepreneurs to realise that an antivirus solution alone is not sufficient to protect against, for example, ransomware or a hack.
An antivirus programme alone will not protect your company against cybercrime. "It's a bit like riding a motorbike with just protective trousers, but without a helmet and in your T-shirt," says Cas Bilstra, cybersecurity specialist at Eye Security. He explains that traditional antivirus software is very good at intercepting known malware. The characteristics of known threats, such as viruses and other malicious software, are kept in a database, and the antivirus programme can recognise any software that meets one of these characteristics. "Then the programme will send a notification that malware has been detected. However, this is not enough, we know from experience."
Static versus dynamic
Viruses and malware are no longer the biggest threats to organisations. Cybercriminals have improved and expanded their attack tactics and methods in recent years. "That's why having only a traditional antivirus solution is not enough to fully protect your network nowadays," says Bilstra. "Antivirus software works in a static way and can only compare against a malware database. Antivirus programs are not able to detect deviations in behaviour and patterns on the network. Commands that are normal in one situation indicate a hacker in other situations. This distinction is difficult for an antivirus programme to make." And therein lies the crux according to the cybersecurity specialist. "The time between the entrance of a hacker into your systems and any consequential damage is crucial to be able to limit the impact of a cyber incident. An antivirus solution only notifies you the moment that impact is noticed, or in other words, when the hacker rolls out the ransomware. By then you are too late. It's all about noticing hackers before they have an impact on business operations."
Behavioural analysis on company network
Specialists have been pointing out for some time that it is no longer a question of whether an organisation will be affected by cybercrime, but when. "What matters is that you manage to minimise the impact of an attack," Bilstra explains. "That means that you have to realise at a very early stage that there are things happening on your network that shouldn't be there. "An EDR (Endpoint Detection and Response) solution helps detect and investigate suspicious activity on endpoints such as laptops and servers. In addition, it makes it possible to actively react and intervene in the event of malware or cyber attacks." An EDR can analyse the behaviour of computers on the network. It distinguishes itself from antivirus software that only looks at one local machine. If an EDR solution detects a deviation from the regular pattern, an alarm is immediately sent out so that specialists can intervene and ensure that any compromise does not cause any damage. So it is possible that you will not experience any negative consequences, despite a hack."
Detection and response
Besides behavioural analysis, there are a number of other important differences between antivirus and EDR. "For example, an EDR contains protection against deinstallation," Bilstra explains. "That means that if a hacker is on your system and wants to sabotage the EDR, the software automatically reports something suspicious is going on. This allows you to quickly find out that an intruder is on your network." Another advantage of EDR over antivirus is that telemetry is collected in a central location. "By that we mean programs that are run or installed, files that are viewed, websites that are looked up, commands that are executed on the system, etc." An antivirus programme runs locally and so cannot compare information with other systems, as an EDR can. "It is therefore better equipped to detect deviations faster, based on all the information and data that is continuously collected. For example, when an export is made of the passwords stored on the computer. Or when abnormal commands are executed on a number of computers simultaneously or shortly after each other. Finally, such a system contains a response capability, as the name suggests. This means that via an EDR solution, systems in the network can immediately be isolated when suspicious behaviour is detected. In this way, it prevents a potential attacker from penetrating deeper into the network."
Clarifying complex notifications
In the most ideal situation, there would be an EDR solution that could make perfect choices autonomously. Unfortunately, this is almost impossible: programmes that are often used by hackers can also have legitimate use cases, and the same applies to commands that are executed. Criminals also often use software built for legitimate use (such as remote management software) to maintain access to compromised systems. That is why, as an organisation, you need a cybersecurity partner who is able to interpret the reports from EDR solutions and determine whether abnormal behaviour or risky software originates from legitimate activity or not. Interpreting reports from security systems is specialist work that not every IT department has the right people for. "That's why it's so important to work with specialists who can do this and who are also available 24/7. Not only are people better at assessing whether certain behavioural anomalies are legitimate or malicious than computers, but they can also intervene more efficiently the moment an intruder is actually on your systems." And that is where the greatest opportunity to limit the impact of an attack lies. "The quicker you detect an attack, the quicker you can get rid of hackers and minimise the impact on business operations."
Rapid detection is crucial
Assessing security alerts is complex because it requires contextual expertise in cybersecurity. "This requires knowledge and experience. We see that many system administrators, but also company's IT partners, are mainly generalists with broad IT knowledge. To outwit cybercriminals, it is necessary to have very specialised security knowledge." Bilstra explains that the EDR solution Eye implements for customers ensures that cybersecurity specialists have relevant information about the customer's network and what is happening on it at all times. "This allows us to detect and assess anomalies quickly. When an attack actually occurs, we can use this information to act immediately and drastically reduce the impact. The first four hours of an attack are crucial. When we have the right tools and information at our disposal, we can quickly repel attacks before they have any impact on the business."
Antivirus alone is insufficient
Bilstra gives an example of a European technology company that was using antivirus software from a reputable vendor. "This turned out to generate various reports, including, incidentally, false reports. Because of these many false alerts, an antivirus product is often not allowed to intervene on its own, and no one pays attention to the alerts that come out. This allowed the attackers to go ahead and spread ransomware on the company network. At that moment we were asked to help, but by then the damage had already been done and we had yet to start collecting information to determine what had happened and which systems were affected. In the end, this company had to pay millions to rebuild its systems, and the company was down for a week." The cybersecurity specialist reiterates: "It is almost impossible to ensure that attackers do not get into your systems. Only by noticing them when they are inside, but before they do damage, can you take targeted action to prevent impact. You'll not succeed in this with just an antivirus solution."
The constantly evolving threat landscape, characterised by advanced persistent threats, zero-day attacks, and other cyber threats, demands a multi-layered approach to cybersecurity. Businesses need comprehensive protection that includes not only antivirus software but also endpoint protection, automated responses, and employee training to effectively mitigate the risks posed by phishing attacks, new malware variants, and other sophisticated cyber threats. By incorporating advanced threat detection, multi-factor authentication, and continuous monitoring, organisations can better safeguard their sensitive data and prevent unauthorised access.
Frequently Asked Questions
Is antivirus protection enough to keep my business safe from cyber threats?
No, antivirus protection alone is not sufficient. While traditional antivirus solutions are effective against known threats, they cannot fully protect against new and unknown threats, advanced threats, or advanced persistent threats. To ensure comprehensive protection, you need a multi-layered approach that includes additional security measures like endpoint protection, anti-malware software, and real-time protection.
What are the differences between free antivirus software and paid antivirus software?
Free antivirus software typically provides basic protection against known viruses and malware. However, paid antivirus software offers more advanced features such as protection against zero-day attacks, ransomware attacks, and advanced threats. Paid solutions often include additional security tools like anti-malware software, firewall protection, and more robust support services.
What kind of threats can antivirus software detect?
Antivirus software is designed to detect and remove known threats, such as viruses, worms, and other malicious software. However, it may not be as effective against new malware variants, unknown threats, and sophisticated attacks like phishing scams or advanced persistent threats.
How can I protect my business data from insider threats and other cyber threats?
Protecting business data requires a comprehensive cybersecurity strategy. This includes implementing multi-factor authentication, endpoint detection and response (EDR) solutions, and continuous monitoring for unauthorised access. Employee training on recognising phishing emails and phishing attempts, using password managers, and adhering to cybersecurity best practices is also crucial.
