Stats & Trends
Jonathan Crowe
May 2017

The "Malware Infections are Inevitable" Attitude is Putting Companies at Greater Risk

Four out of 10 organizations we surveyed said they wouldn't be shocked or overly concerned to find malware on their endpoints. Here's why that needs to change.

For years, “infections are inevitable” has steadily become the prevailing attitude when it comes to endpoint security. On one hand, it's a mantra that's productively motivated companies to acknowledge their vulnerabilities and become better prepared to respond quickly to a wide variety of possible security incidents and scenarios. On the other hand, it's also an attitude that inherently encourages acquiescence.

If malware infections are considered inevitable, that also suggests they have to be tolerated. And if that's the case, where does the tolerance stop? At what point do attacks cross the line and become unacceptable?

That’s the question we recently asked IT professionals tasked with keeping their organizations secure. To find out how the "infections are inevitable" attitude may be influencing their priorities, investments, and efforts we asked them to describe at what point they consider a cyber attack a serious event, and at what point they would consider making changes to their security to prevent similar attacks from happening again.

One third of organizations don't consider the presence of malware extremely serious until damage is clearly evident

Four out of 10 organizations we surveyed expressed that they wouldn't be shocked or overly concerned to find malware on their endpoints. When asked how they would react to the malware successfully executing, 35 percent maintained it still wouldn't be cause for serious alarm. 

The tipping point appears to be when damage has obviously been done — 78 percent of respondents acknowledged data theft caused by a cyber attack would be an extremely serious event.

There's a dangerous assumption in these responses that damage caused by malware is always immediately apparent. That is certainly the case with ransomware, but not other "silent" attacks that involve remote access control, credential theft, and keylogging, etc. While the former has certainly been dominating the security discussion and headlines for the past two years, the latter is actually still more prevalent.

According to email security provider Proofpoint, 22 percent of malicious email campaigns were used to deliver ransomware in Q1 2017, but 33 percent were used to deliver banking trojans.

What's also particularly interesting is the amount of leeway IT pros acknowledge they give to solutions specifically designed to prevent these events.

Low expectations for preventative solutions translates to no margin for error further down the line

Only one third of respondents indicated they would consider replacing their security solutions if malware made it onto their endpoints. Less than half said an incident of malware successfully executing would likely cause them to switch solutions. (It should also be noted here that 40 percent of the organizations surveyed had experiened both events in the past 12 months).

4 in 10 organizations have suffered a ransomware attack that bypassed their security and encrypted their files

Tweet this

In comparison, 70 percent said an attack that resulted in stolen data would justify them looking for a new solution. 

There's clearly a lower bar for preventative solutions designed to block attacks earlier in the attack cycle, one potential indicator of the "infections are inevitable" attitude at work.

The problem is kicking the can down the road puts disproportionate pressure on detection and response solutions to fully mitigate attacks before they can result in damage. And as ransomware attacks make blatantly obvious, today's malware can operate incredibly fast. In many cases, waiting to react to an attack until there's an indicator of compromise means the horse has already left the barn.  

29 percent of organizations see backup as an adequate substitute for preventing ransomware infections

Perhaps also contributing to organizations' willingness to give preventative solutions a pass and tolerate successful infections is the assumption that the majority of attacks are delivering ransomware, and ransomware can always easily be mitigated by restoring encrypted data from backup.

Without quesiton, having reliable, tested backups is a crucial part of any decent security strategy. But if having backups is the strategy that's not playing defense, it's simply showing a capacity to take a punch in the face. And it can be just as painful, even if it means eventually restoring access (take this example that resulted in $100,000 in recovery costs).

The fact that nearly a third of organizations expressed satisfaction with recovering from ransomware attacks with backup vs. investing additional resources into preventing repeat and future attacks is concerning for multiple reasons. Not only does it underplay the potential disruption and costs associated with recovering data from backup and bringing services back online, it also neglects the consequences of ceding network access to hackers.

Criminals will take advantage of every inch of ground organizations give them, and they have quickly adapted their attacks to include both ransomware and password stealers packaged together to fully monetize their campaigns. Cerber and DynA-Crypt are two examples of ransomware variants that have been spotted not only encrypting files, but stealing information while they're at it.

Organizations are prioritizing recovery over prevention

Perhaps the clearest indication that the "infections are inevitable" mantra has taken hold, however, is the list of the respondents' current priorities.

Despite the majority of respondents listing their organization's strongest ability as "cleaning up from successful infections" and their weakest as "preventing malware from executing," when asked to list their current priorities, the majority indicated they were doubling down on reactive attack response instead of proactive prevention.

Current security priorities

  1. Cleaning up successful infections
  2. Responding to successful infections quickly
  3. Blocking malware during runtime
  4. Preventing malware from executing
  5. Preventing malware from landing on endpoints

It's hard not to see that list as organizations waving a white flag. But with 40 percent of the respondents experiencing successful infections despite having preventative solutions in place, it's easy to see where they're coming from.

In order to for organizations to make meaningful progress and avoid getting stuck in firefighter mode, however, these prioritites need to change. And in order for that to happen vendors need to prove to organizations they're seriously committed to improving prevention, too. The only way they'll do that, of course, is if organizations stop giving them a free pass.

Blocking malware during runtime — after it's been delivered but before it does damage

One immediate way of making prevention more realistic and effective is by adding runtime malware defense, a layer of protection that operates downstream of the most common infection vector — a user inadvertently downloading and executing malware on a machine. Instead of reacting to damage after the fact, however, runtime malware defense recognizes and blocks malicious activity in real-time, before it does something that can't be recovered from or has to be cleaned up.

As Barkly co-founder and CTO Jack Danahy explains:

jack_danahy_headshot_.png"Experienced security teams acknowledge that every piece of malicious software can't be caught in advance, but they also know that cleaning up after an event is painful and often incomplete. That doesn't mean giving up on prevention, but rather focusing our efforts on stopping attacks as close as possible at the point of infection, before damage is done."

— Jack Danahy, co-founder and CTO at Barkly

That's the protection Barkly's runtime malware defense provides, and it's an area where a lot of the industry's momentum is heading.

To learn more about how companies are improving their runtime protection see our Complete Guide to Runtime Malware Defense.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.