AVG's challenge: Getting people to protect themselves (Q&A)

As the CEO of security vendor AVG, J.R. Smith oversees a lineup of antivirus products used by 110 million customers around the world. And while those people may be relatively secure from the latest malware threats, Smith feels a greater effort is needed to reach out to the many who aren't protected.

A lot of computer users think they're protected with antivirus software but actually aren't, believes Smith, while others just don't seem to take security seriously enough, assuming that their banks and other companies they do business with will protect them.

Beyond just basic protection, computer users today are also getting caught more by social-engineering scams in which cybercriminals try to trick them into revealing personal information. Though Smith said that AVG's security software now tries to warn you before you expose certain details, he cautions that people still need to be more aware and vigilant of their actions online.

The American-born Smith has been running AVG from its Czech Republic headquarters since 2007. Prior to joining AVG, he ran a mobile-services company as well as a network and telecom software development firm. His current mission has been to spread the word about security and protection, both through his own company and by working with people in the private and public sectors.

Smith was in New York last week attending a security conference hosted by AVG. Though he couldn't reveal many specific details, he did say that the conference was attended by some influential people in cyberspace and cybersecurity, including a number of "heavy hitters" from Capitol Hill. The conference's roundtable discussions centered on the topic of how the private sector and government can work together on cybersecurity and motivate people to better protect themselves.

I recently spoke with Smith about the kinds of security threats facing all of us online and his company's efforts to fight the never-ending threat of malware. Here is a portion of our conversation.

Q: You were in New York recently as part of a panel discussion on cybersecurity. What were some of the key issues and concerns that the panel focused on?
Smith: Well, we've just launched into National Cybersecurity Month, and for the last several years there's been a lot of awareness driven around cybersecurity and threats. But I think we're moving into a different direction in that awareness is nice, but we're not getting enough action, enough uptake. People aren't really feeling obligated to secure themselves. I think there's a lot of feeling that banks and governments and businesses are going to protect us, when in reality, consumers and small businesses have a big role to play in the health and security of the Internet.

So the discussion was on how we move with the help of the government and private sector in trying to make [security] more on top of people's minds and get them to act. There's a recent survey by Verizon (PDF) that said about 95 percent of the threats out there could've been prevented with basic security measures, meaning software. So I think there's this huge opportunity for us to harness the power of individuals and get them protected. How can we work together more closely and figure out how to get people to participate more aggressively? Government initiatives, possibly tax incentives, possibly requiring people to have basic protection if they're going to access government sites. Maybe creating a government portal where people can learn more and understand what they can do if they need to be protected or if they've already got something that's mucking up their machines.

People need to be part of the solution because if they're not protecting themselves, then they might be spreading malware. Their computers might be used for botnets, so they're actually part of the problem. So how can we get people to be more accountable and responsible? And at what point do banks and government and industry stop footing the bill if somebody does have a problem? And how do we incentivize and encourage? What further tools and education can we use to help people understand how important [security] is?

Do you find a lot of consumers believe protection is something that someone else is going to do for them, whether it's their Internet provider or their company, so it's not something they need to worry about?
Smith: I think it's a combination of a couple of things. I think part of it is that. But a bigger part of it is that over 90 percent of people actually think they're protected in some way. But a lot of our surveys and a lot of other industry surveys show that there's probably about 60 percent of people who are really covered because [the rest] have McAfee or some other company on their computer and they see the little icon in the system tray, but in reality they've got to click it, activate it, buy it, and they don't. But they still figure they're protected because it's there. Or their trial or actual license has expired. Or they simply don't have anything. So part of it is thinking they may be protected when they're not, and part of it is "You know what? If somebody raids my bank account because they've gotten information, well, my bank is going to reimburse me anyway."

What are some of the newer, more sophisticated malware threats that keep your company on its toes and that consumers should be aware of?
Smith: There are a few things. We've engineered our back end to take 1.5 billion pieces of information that we analyze every day that's voluntarily given to us by our users, just threat-related data that they're encountering. The main pieces of information our users are sending back to us is that with respect to identity protection and privacy, the problem's become a lot bigger. It used to be that if a hacker gets into your computer, they get some of your personal information, and off they go. Usually, they [had] to get the complete picture in one shot. But now what we're finding is more sophisticated, that they're actually looking all over the Web for bits and pieces of information about you. And then they pull it together and can get a much more robust picture. In fact, they can even know enough about you to converse like you in an e-mail and fool people.

I think you may have seen there was a recent scam on Facebook. "Hey, I'm stuck in London. Lost my wallet and my passport. Can you wire me some money?" We have a guy in our organization who's a threat analyst. He even got taken. He answered the e-mail. "How are the kids? How are things in school?" And they actually replied very coherently. So they knew an awful lot about this person they were imitating. And he actually sent them some money. It's that kind of stuff that we're seeing.

We're also seeing a lot of scams, especially on social-networking sites. You play a game. You participate in something. They ask you for your personal information. We've actually enhanced our Web protection to include some various layers where we'll stop you from putting your information in. We'll say, "Hey, we can't see where this information is being stored. It looks a little odd. So we don't think you should be entering your own personal data." So we're trying to work with people to help them protect themselves a little bit more effectively because I think that type of information-gathering is getting a lot more robust, a lot more sophisticated, a lot more organized.

And of course, we're always seeing lots of botnets. In recent days, we've even found a few botnets that actually fight back. They identify AVG security software. They're actually trying to attack us. But really what we find is 99 percent of what we see is malware that comes through the Web. So when you're searching and surfing and playing around online, you've technically punched a hole in your firewall, you've opened the window.

So we've really focused on our Web technology, which in my opinion is unique in that we're following you around wherever you go. Actually, we're not following you. I take that back. We're actually one step ahead of you everywhere you go. So every time you click a link, a URL in an e-mail or instant message or search results in your browser, anytime you're clicking something that takes you to the Net, we're scanning that landing page and making sure it's safe. And we're letting you know beforehand. This is a unique product, and now we've enhanced it with social-networking protection. So if you post something on your page or on someone else's page, or someone posts something on your page, we're scanning it and making sure it's safe. So we're moving out of just protecting you as a user. We're trying to limit the amount of damage that you can do by spreading something as well.

We also block between 3,000 and 5,000 threats on Facebook every day. And if we find something that's really malicious and we find a lot of it, we're on the phone with their scientists and tell them that it's something they might want to put a flag on. They're very diligent about security. But when you're going that fast and you've got such a huge platform, you can imagine that's a big job.

It often seems like a cat-and-mouse, or one-upmanship, game between the bad guys and the good guys. The malware spreaders come up with some new scheme, then you guys respond to that, and then they respond back to get past your new defenses. Do you find it's a never-ending battle in that regard? And are you confident and optimistic that you're able to stay one step ahead of the malware writers?
Smith: Well, I think you're absolutely right. It's getting more sophisticated. It really is driven off of behavior and technology. People's behavior is changing so much. Look at what we were doing 8 years or 10 years ago on the Internet versus what we're doing now with social networks and the need to have increasing privacy. It's just completely changed. The way we look at it is that the traditional, signature-based protection is still great--we're processing anywhere from 30,000 to 50,000 samples every day in our back end just from traditional heuristic and signature-based stuff. While that system can handle a lot more and it's going to keep growing, we think that about 90 percent of what we're seeing is actually just smoke. [The malware writers] are just automating a bunch of malware that isn't really dangerous to try to make it difficult for us to find the real stuff.

What we've done is we've shifted. So if we can create technologies that detect more in real time and are every bit as efficient as real time, then we can eliminate the need to have basic heuristics in AV. We've got a behavioral layer, a Web layer, a heuristics layer, and a whole bunch of stuff in the cloud as well. So we're forced to be able to add all those layers, otherwise with traditional engines, we just would not be able to keep up with or detect all this stuff that we're seeing. Every day, we evaluate 1.5 billion pieces of information and identify over 100 million threats. So for the final part of your question, I'm pretty optimistic that we can maintain that. But the real challenge is helping people be protected and not do something like putting their personal information into something and going onto a scam site and thinking they're ordering a month's supply of vitamins and in reality it's a 12-year subscription and there's no way they can stop it. So we're putting a lot of that kind of stuff into our LinkScanner technology and our Web protection technology.

There have been some well-publicized takedowns of malware sites and servers and arrests of malware writers over the past year. Do you think that type of legal action is having a meaningful, long-term effect, or is it more a drop in the bucket?
Smith: I think every little bit helps. I think it really helps people to understand that the threat is real and maybe move them to action. I think you're going to need an awful lot more of that to make an impact. I don't think it slows them down much. You've probably read about the latest banking scam. And that's pretty monumental--arresting 80 people. That's pretty big--one of the biggest things we've seen in a long time. I think that helps. But there is so much out there. It's complete lawlessness. It's pretty hard to control. It's just a drop in the bucket. I think a lot more needs to be done.

There's been some industry debate and this recent challenge between Comodo and Symantec over the effectiveness of free versus paid antivirus software. Of course, AVG offers both free and paid. What are your thoughts on that whole debate?
Smith: It's pretty important for us because our whole business model is freemium (offering a basic product for free, then charging for a premium edition). The lion's share of our 110 million people are free users. So we really rely on them both for our back end and for getting people to talk about it and getting people to get more free and more paid. And it really is what leverages our business. So when somebody like Symantec comes out and says [free] is actually not as good. Well, have an independent tester come in and test our free product next to anybody's paid product, and it's better. The basic detection rates in our free product and our paid product are exactly the same. We're not giving you less protection. We're just giving you less functionality. The paid products have antispam and firewall and a few other bits. But the core features--the Web protection, the cloud protection, the virus protection--is all the same between free and paid.

Microsoft came out with its free Security Essentials product a year ago. Do you foresee a time when antivirus and malware protection will be built into an operating system like Windows? And if so, do you think there will still be a market for the third-party vendors?
Smith: I think there will be. I think it's great that Microsoft came out with a product in that it really jumped awareness. And again, we have this mantra that everyone should be protected. But with the way things are evolving and the devices people use changing and all the threats changing so quickly, I don't think you can do that within the operating system. Basic AV and spyware, OK. At some point, if those are layered within the operating system, I don't think it's bad. But I don't necessarily think a lot of people are going to trust Microsoft since they create the platform. Some will. But you're always going to need other layers. So I think there's going to be plenty of room for companies like ours to grow and cohabitate alongside these guys.

There's always been a long-standing question over whether Mac users should run antivirus software. What are your thoughts on that?
Smith: Yeah, we just came out about three months ago with a Mac product--a Web protection product. Right now you're looking at a lot less penetration of Macs, a lot less malware for Macs. But it doesn't mean it doesn't exist because it absolutely does. We think the first level of defense is really the browser. And our product has technology that helps you avoid scam sites, avoid putting in your personal information. I think that's the kind of thing that Mac users do need. And over time they'll probably need AV and the rest as well. But since 99 percent of the threats we're seeing are coming through the browser, you should have Web protection on a Mac.

Aside from running the right antivirus software, do you have other recommendations for the average consumer about what they can do to better protect themselves?
Smith: Yeah, on top of all that, I think you just need to be a little cautious. If people are looking at the URL string, if they type in WellsFargo, make sure it's not going to WellsFango or some other Web site that looks the same but may not be. I think you need to be suspicious about Web sites that may have been hijacked. If they're asking you too many questions: "What's your credit card? What's your PIN number?" There are certain things you're used to conveying online and certain things you're not. If someone sends you an e-mail, don't open anything unless you're absolutely positive [it's safe]. Having our Internet technology helps with a lot of that. But really be cautious, especially in your e-mail in-box. Test and verify. If someone asks you for money, pick up the phone and call and make sure it's them. Don't communicate through e-mail. There are a ton of things, but those are some of the big ones.