Malware ("computer viruses") has been a concern since the 1980’s. It’s an awareness and training topic we update/refresh frequently, never failing to find something new to discuss.
In 2017, we focused on ransomware, a ‘real and present danger’ at the time with several high-profile organizations suffering disruptive and very costly incidents. In 2018, surprisingly, the ransomware appeared to have declined as cryptocurrency mining Trojans increased ... but ransomware remained an issue in 2019, particularly for insecure corporations staffed by unaware workers.
So long as malware risks remain significant, we can’t afford to ignore them. Luckily, generic control measures such as workers’ vigilance (awareness!), patching, backups, incident management and business continuity management are appropriate regardless of the particular incident scenarios that may unfold. Antivirus software is part of the solution – a major part, admittedly. It’s necessary but not sufficient. That’s one of the awareness messages.
- Introduce and explain malware in plain English, providing general context and background information, emphasizing what’s new in this area;
- Expand on the associated information risks and controls, emphasizing the need for a framework of complementary controls rather than a myopic focus on, say, antivirus;
- Emphasize the practical things workers can and should be doing to mitigate or better still avoid malware risks (e.g. not opening dubious attachments, jailbreaking or disabling security on their devices, or installing dubious apps; keeping up with antivirus updates, patching and backups; reporting suspicions or incidents promptly to Help Desk).
Think about your learning objectives in relation to malware. Are there particular facets or issues you would like to bring up, perhaps specific malware incidents that you or your neighbors, competitors and others have suffered? If there's just one thing that you require all workers to know or do about malware, what is it? What about all the other things that they ought to be aware of?
Security awareness and training is a critical control against computer viruses, worms, Trojans, keyloggers, Advanced Persistent Threats, spyware, rootkits, multifunctional and embedded malware, ransomware, cryptomining malware and other digital nasties. Technical controls alone are insufficient.