_Part 8 of 12 in the Cyber security for the small business series._
Malware — malicious software — is the broad category that includes viruses, ransomware, trojans, spyware, and various other unpleasant programs designed to harm your systems or steal your data. Whilst phishing is the most common delivery mechanism, malware can also arrive via infected USB drives, malicious websites, compromised software downloads, and vulnerabilities in unpatched systems. This month: what to install, what to configure, and how the work from earlier in the year all fits together.
Antivirus and anti-malware software
Every device in your business — computers, laptops, and ideally tablets and phones — should have anti-malware software installed and running. The good news for 2024 is that modern operating systems include capable built-in protection.
Windows Defender (built into Windows 10 and 11) is now a genuinely competent anti-malware solution. For many small businesses, it provides sufficient protection without any additional cost. Ensure it is enabled and that real-time protection is turned on. Open Windows Security from the start menu and check.
macOS includes XProtect and Gatekeeper, which provide baseline malware protection. Whilst Macs are not immune to malware (a persistent myth), the built-in tools are adequate for most small business use. Keep macOS up to date and most of this works without intervention.
iOS and Android have built-in protections that are generally sufficient for typical business use, provided users only install apps from the official stores. Sideloading apps from the web should be off by default.
If you choose to use a third-party anti-malware product, reputable options for small business include Malwarebytes, Bitdefender, and ESET. Look for products with business management consoles that let you monitor protection across all your devices from a single dashboard. The marginal value over Windows Defender for a typical small business is real but small.
Whatever you use, ensure that automatic updates are enabled for both the software itself and its malware definitions. An anti-malware tool with outdated definitions is like a guard who has not been briefed on the latest threats.
Defence in depth: why antivirus alone is not enough
Anti-malware software is important, but it is not infallible. No product catches everything, and new malware is created constantly. A defence-in-depth approach means layering multiple protections so that if one fails, others catch the threat. The good news is that, by August in this series, you have already built most of those layers without thinking about it as a malware defence.
Email filtering catches malicious attachments and links before they reach the user. We covered this in May.
Software updates close the vulnerabilities that malware exploits. We covered this in June.
Network protections at your router help block known-bad traffic. We covered this in July.
Anti-malware catches what gets through. We are doing it now.
Backups allow you to recover if malware gets through everything else. We do this next month.
Each layer catches a different fraction of attacks. No layer catches everything. The combination catches almost everything, and the small percentage that gets through gets caught on the way out by something else.
Common infection vectors
Knowing where malware comes from helps you reduce exposure:
Phishing emails remain the leading vector. The May work matters here.
Malicious downloads from compromised websites. Browsers warn you about most of these; respect the warnings. Avoid downloading software from random search results — always go to the vendor's official site.
USB drives. A USB drive of unknown origin is one of the highest-risk things you can plug into a business computer. We cover this properly when we look at physical security in October.
Vulnerable software exposed to the internet. Your website, particularly if it runs WordPress, is the most common example. Keep plugins and core software updated.
Drive-by downloads. Older browsers can be exploited just by visiting a malicious page, without any download being requested. Keeping your browser current (June) prevents the great majority of these.
Cracked or pirated software. Often comes bundled with malware. Buy your software from the legitimate source, or use the free open-source alternative.
When something gets through
Even with all the above in place, you may still find one day that a machine is behaving oddly. Slow. Lots of pop-ups. Strange files appearing. Antivirus alerts you cannot explain. When that happens:
Disconnect the machine from the network immediately. Pull out the ethernet cable; turn off the Wi-Fi.
Do not turn the machine off straight away. Some malware writes evidence to disk only when the system is gracefully shut down; some destroys evidence on shutdown. Get advice first.
Phone your IT support, or, if you do not have IT support, phone someone who knows what they are doing before you act. Action Fraud's number (0300 123 2040) is a starting point for criminal incidents.
Do not pay any ransom without professional advice. Most ransomware payment "guarantees" are not honoured.
We cover incident response properly in November.
What August looks like
Two things, each a single afternoon:
Check that built-in antivirus is on and updating on every Windows and Mac device in the firm. Make a list. Tick them off.
Identify any device in the business that is more than five years old, running an operating system no longer supported by its vendor, or running antivirus that has not been updated in the last 30 days. That device is your weakest link. Replace, upgrade, or isolate.
Next month
September: backups. The single defence that recovers you from the worst outcomes — ransomware, hardware failure, fire, flood, the genuinely terrible Tuesday. If you are only going to read three posts in this series, make April, May, and September those three.
Cyber Essentials note
This month covers Cyber Essentials control 4, Malware Protection. Four of the five controls are now substantially in place if you have followed the series so far.