By Guest Blogger Win10 Guru Ed Tittel. A surprising number of security experts agree that most users shouldn’t pay for a traditional antimalware suite. Windows 10's built-in protection, plus good security habits, are enough. Building good habits is where security awareness enters that picture…
When asked to pick out the best antivirus application recently, the team at the Wirecutter (a New York Times company that demystifies technology and makes it approachable for non-techies) came to a surprising and interesting conclusion.
The title of their resulting guide “The Best Antivirus Is Not Traditional Antivirus” speaks directly and forcefully to what they learned. For Windows users, for example, the researchers learned from cyber security experts that the built-in Windows 10 Defender “is good-enough antivirus for most Windows PC owners.”
The AV-Test Institute’s independent testing gave Windows Defender the best possible rating in protection in December 2017, and a nearly perfect rating in performance. Their Feb 2018 "Best antivirus software for Windows Client Business User" shows Defender 4.12 a solid performer with very good scores.
Additionally, SentinelOne’s Global Ransomware Study for 2018 provides numerous relevant and fascinating findings. First, the majority (56%) of companies globally have been prey to ransomware between April and March 2018. 45% of companies paid at least one ransom over the past 12 months, but only 26% of those who paid had their files unlocked.
Companies that paid ransoms were attacked again in over 70% of cases. The average cost of a ransomware attack, according to Sentinel One, is over $800K!
If companies are protected by antivirus solutions, how can this be happening? Simple. Attackers deliberately work around software limitations, and depend on social engineering to foist ransomware off on their victims.
Crafting the Habits of Security
The Wirecutter guide recommends that systems should employ multiple layers of security, that might also include Malwarebytes (which comes in free and for-a-fee premium versions), that should be “coupled with good habits.”
This latter notion emerges from the old “ounce of prevention” philosophy, which holds that it is far cheaper and more effective to spend a little bit of money to avoid trouble, than to risk spending a lot of money to dig your way out of trouble once it has found you (and your organization).
As it turns out, Windows Defender has a lot to offer businesses and non-profit organizations, too. Special facilities comprise Microsoft’s Windows Defender Advanced Threat Protection (ATP) that goes well beyond the capabilities of many endpoint solutions with preventive protections, post-breach analysis, automated investigation and response, security intelligence and more.
Organizations that license Windows Pro or Enterprise, or that obtain such licenses through subscriptions to Microsoft 365, can use these facilities for little or no extra cost.
By relying on built-in security tools and capabilities, and teaching users to avoid potential (or actual) security risks, organizations can reduce their outlays for purchasing protection that may or may not work.
At the same time, they can also lower the risks of successful breaches or compromises through new-school security awareness training. Overall costs involved will usually be less than those for a purely technical, software-based endpoint security solution.
The net result is reduced exposure to risk for companies or organizations savvy enough to invest in their people, who present the biggest attack surface of all.
Where’s the Connection Between Security Awareness and Decreased Risk?
Most breaches and successful penetrations do not depend on technical compromises or insidious software exploits. Rather, they depend on good, old-fashioned social engineering to trick honest, hard-working employees into disclosing points of access and means of attack.
This happens in all kinds of seemingly innocuous ways. Social engineering drives attacks through targeted phishing, phone calls from helpful security or support staff, or outright, obvious e-mail or social media scams.
Security awareness training (SAT) teaches people good security habits. It impresses upon them the potential consequences of clicking links on unsafe web pages or in suspect emails. SAT also shows them in no uncertain terms what can happen as a consequence.
SAT teaches them that neither the government, nor Microsoft, nor their own accounting department includes links in emails or web pages where any kind of sensitive or security related information is solicited without proper safeguards. SAT explains the value of multiple factors of authentication, and shows how they prevent fraud, theft, or misappropriation of credentials and access.
Given that an average security breach cost $3.62M (SecurityIntelligence/Ponemon), even a relatively substantial outlay on prevention can’t help than be less than the costs of such cures.
A well-crafted awareness program doesn’t just teach the principles, and show the consequences of bad habits and behaviors. It also checks in on employees with simulated social engineering attacks, pop security quizzes, and provides remediation to those who need it.
Good awareness programs also include regular refreshers, ongoing news about current scams and social engineering attacks, and more. It’s an ongoing program and process that pays continuing dividends as organizations and businesses avoid security risks, and make best use of low-cost/no-cost technical security options.
Are you going to upgrade to Windows 10, rely on Defender and use your AV budget for new-school security awareness training?
Go to the HackBusters site, subscribe and discuss this with your peers!