Antivirus: A Guide

What is antivirus?
Antivirus (AV) software detects malicious software (malware). Once antivirus has detected malware on a device, it will quarantine and attempt to destroy the malware to prevent it from spreading to other files and causing more impactful damage to the device. Antivirus is a core defense against cyber crime, and should be rolled out by default to all organization devices. Users at all levels must understand how antivirus works, how frequently they will be scanned, and what to do if there is an alert.

Why is malware a risk?
Malware is a piece of code that can do whatever a threat actor programmes it to do. Malware can steal or encrypt data, as well as destroy it altogether. It can cause devices to overheat, behave in strange ways, or lock users out of a device or the whole network. Malware behaves like an illness, getting passed around within an organization's network, via emails containing infected file attachments, or from people visiting infected websites. It can also be spread from one organization to another, causing reputation damage.

Do I need to use the same antivirus on all devices?
Most commercially available devices will come with some form of antivirus installed that can be
immediately activated. However, if a hardened baseline is being rolled out across a network, then a product with more functionality, monitoring, and reporting features will be more appropriate. These features are essential for a technical team to stay on top of potential security incidents and events across the organization and maintain a centralized response to any incidents.

Does antivirus need to be on all devices?
For an organization, antivirus should be a consistent component of the hardened baseline rolled out. If an organization allows BYOD (Bring Your Own Device), then antivirus brand on personal device likely cannot be enforced, but you can outline rules about appropriate device set up to qualify for BYOD - e.g. guesting devices must have some form of antivirus, they cannot be jailbroken or use applications from outside the recognized app store for their brand. This can minimize malware being brought into the network.

How to select an antivirus solution
An antivirus solution should cover all types of devices used in the organization, including computers, laptops, tablets, printers, servers, etc. Additionally, the AV solution shoukld be compatible with all applications in an organization's network. Compatibility issues often lead to performance problems and may in turn compromise security if there are gaps left unchecked. If all devices are running the same AV, then it will be easier for network admins to manage the incoming data and manage potential risks.

Patching antivirus promptly is essential.
Much like we would update our phone applications for new features, bug fixes, and security patches. Patches ensure the AV solution remains effective and up to date. Cyber threats change very rapidly and It is paramount that the chosen AV software solution is routinely tested to ensure that it is functioning and communicating seamlessly across the network and all devices.

Compliance and regulatory requirements.
Prior to engaging an antivirus vendor, the proposed solution should be thoroughly vetted for how it contributes to any regulated standards an organization may be subject to. Some regulations and standards will have requirements about how antivirus is deployed and standards it must meet, and opting into a product without checking these requirements can be a costly process to roll back.

Checklist

When rolling out antivirus, check the following:

1. Is the antivirus solution compatible with the organization's current technology?
2. Does the antivirus comply with any legislation or regulatory requirements?
3. Can the antivirus be rolled out comprehensively across the network and all devices?
4. Who will be managing the antivirus and what training do they need?
5. Agree and maintain a patching cadence to ensure the antivirus remains up to date.