Malvertising is a new, very real threat

Modern business leaders must be vigilant against modern threats. After all, digital technologies are a crucial tool in the battle for competitive advantage, yet at the same time they have the potential to create risks – whether from internal staff or outside parties – that require a solid cybersecurity focus from the organization.

A recent addition to the pile of business security threats is ‘malvertising’. In basic terms, it’s online advertising published with the intent to spread malware or harmful software components via mass channels. The danger is their ability to infiltrate and publish themselves on legitimate networks and websites, and Georges Akl, Regional Business Development Manager at Canon, says it is because they appear so innocuous that they are such a threat to business security.

“Once a user is exposed to the ad, which looks like any normal ad, they will be tempted by the content,” he says. “Once they click, this is called the ‘bait’, because once this action is completed the receiver can be infected via several hacking techniques.”

Akl believes there are three core reasons why malvertising can be a threat to mobile phone users in particular:

• Mobile phones are extremely prone to malware due to the structure of their operating system.
• There’s a lack of user awareness about mobile security and how to bolster it on personal devices.
• Low penetration for mobile anti-malware apps. Akl says: “Would you pay $7 per month for an antivirus app? Probably not, as you are not aware of the real risks.”

Phishing attacks and imposter scams

Phishing attacks, on the other hand, are nothing new. In fact, they have permeated the digital culture for decades. So how are they still so prevalent, and why are they a constant threat to business security? The reason, according to Akl, is their simplicity combined with a lack of ability to detect fraudulent communications from external parties.

“The most common scam is to send fake emails that have the same look and feel of a famous vendor or provider,” he says. “Often, fake emails will arrive that look like they were sent from an authentic business, in many cases it could appear to be sent from your bank, your phone or internet provider, or even a senior member of your company. The content will contain some urgent message with the intention to push the reader to click. This psychological deception is deployed through either fear or temptation, with fear often being most effective.”

Also a form of phishing attack, imposter scams fully embrace a legitimate “persona” in an attempt to convince the recipient they are a trusted business source. They may send emails with identical logos to one of your partner companies, or make a phone call impersonating a client or supplier. In terms of business imposter scams, the intended payoff is usually to obtain payment information or, in most cases, confidential information and security logins.

How can your business protect against threats?

As a business, your staff are constantly using digital devices. While this is essential for the organization to function, the risk of exposure is huge. From web browsers to email apps to personal or business mobile phones, all these tools are being used on a daily basis and are at risk of security attacks.

In order to protect your business in a multi-channel environment, especially one in which all those channels are directly connected to your business IT infrastructure, you need to take steps to lower the risk of attack. After all, one affected device could bring the entire company to a halt due to the domino effect of spreading malware.

• Train all staff: Especially when it comes to internal threats, training should be at the top of your list. Conduct routine training on common business security threats and how to avoid them. This can even be done through an ongoing security awareness and education campaign.
• Document everything: Create a clear IT security policy that explains, in depth, what the threats are and what your organization’s best-practice policies are. There should also be an induction program for new employees, as well as a yearly refresher course for all staff.
• Test the threats: Create and deploy ‘fake’ phishing campaigns internally. This will deliver insights into whether your employees are acting appropriately, and will also reveal any gaps that require further training.
• Open the lines of communication: Partner the IT department with other relevant groups (such as legal or financial departments) to send out weekly or monthly emails about business security threats and reminders of the employee’s responsibility.