Antivirus Software Isn’t Enough To Protect The Enterprise Anymore

The cybersecurity industry has some of the brightest minds in technological innovation focused on safeguarding the enterprise. The problem? Some of the brightest minds are also using their talent to create ever-more sophisticated cyberattacks.

“Cybersecurity is a constant cat-and-mouse situation,” explained Dominic Chorafakis, principal consultant at cybersecurity firm Akouto Consulting, in a recent interview with PYMNTS. “So every time there is a new type of threat out there, there is definitely a period of time when the major cybersecurity vendors are going to play catch-up to find out how to identify and thwart those threats, and then a new threat comes out.”

Akouto recently warned of such a scenario, issuing a press release this week that described “mutant malware” able to bypass the typical antivirus software deployed within corporations. One cyberattack is dubbed Heodo, a banking Trojan designed to steal bank credentials and other data to rob corporate bank accounts. It’s a combination of a Trojan and a Worm, Akouto explained, and it’s able to hide from traditional antivirus tools.

Heodo was first identified in March of this year, but according to Chorafakis, it’s hardly the first of its kind to highlight the shortfalls of antivirus tools.

“Not to underplay the importance of antivirus and anti-malware, it’s something that companies need to continue to use and maintain, both as a deterrent and also after detection to help with cleanup,” he said. “Having said that, there is definitely a need to take a more holistic approach to security, both in terms of being able to block these attacks and in detection and response.”

According to Chorafakis, in about 20 percent of instances in which Akouto works with a company to take proactive measures in their cybersecurity strategy, there is an ongoing attack occurring that the organization never knew about, even though they already have antivirus software in place.

“Those businesses have active intrusions going on, and they’re completely unaware of it,” he stated.

This problem highlights the dwell time of cybersecurity detection, that is, the time it takes for an organization to actually detect that a breach or attack is occurring.

“The statistics vary, but on average it takes about three to four months after a breach for a company to detect it and do something about it,” Chorafakis said. “And that’s with antivirus software running, by the way. You definitely need more than antivirus in today’s environment.”

Some research measures average dwell times to be even longer: a report from Mandiant in 2015 placed it at 205 days.

Part of the problem could be that organizations are ignoring their vulnerabilities and therefore aren’t enhancing their cyberattack detection measures as a result. Chorafakis said small- and medium-sized businesses are more likely to fall into this category.

“They think they are too small or not interesting or visible enough to be a target, even though the stats point to a completely different picture,” he explained. “Because of the news coverage of WannaCry and other attacks, there is a growing awareness, but there are still far too many companies in this category.”

Even for companies that are aware of the threat, there are many that fall into a second category, Chorafakis explained.

“It’s troubling, the number of companies who don’t feel that they are targets, but there is a second category of businesses who understand that nobody is immune, but they just don’t feel like the threat is imminent,” he stated. “They’re slow in responding and taking action and, unfortunately, it takes an incident to force these businesses into action.”

But for some SMBs, there may not be an opportunity to take action after a cyberattack has occurred. Chorafakis warned that there is a significant portion of small businesses unable to continue operating after a major attack, and even if they can pick up the pieces, the cost is huge. In addition to threats like Heodo, which go after corporate bank accounts to steal money directly, there is the knock-on cost of rebuilding and recovery, as well as the cost of shutting down the business while recovery efforts are taking place.

“In about half of incidences, businesses took 24 hours or more to recover after a cyberattack,” he said. “You lose a day or two worth of business.”

“Some statistics are more frightening,” he continued, citing 2016 data from the National Cybersecurity Alliance that found the average price for a company to clean up after a cyberattack is $690,000, a crippling figure for an SMB. Sixty percent of small companies that fell victim to an attack found themselves out of business six months later, the NCA’s analysis found.

Clearly, the implications of a cyberattack are huge for a small business, and as these attacks grow in sophistication and ability to bypass traditional cybersecurity measures, companies have to listen up. Chorafakis noted that one particularly important factor for corporate cybersecurity strategies is for professionals to understand the difference between IT and cybersecurity, as many businesses rely on their IT teams to implement security measures.

“IT is IT, and cybersecurity is cybersecurity, and the distinction is very important,” he said. “It’s important for businesses to make sure that when they are choosing their technology partners, they include people and organizations who have a security focus.”

Companies need a dedicated cybersecurity partner who can come in and identify the businesses’ unique needs in this regard, he continued, to develop a customized strategy and solution.