Modern security tactics fail to protect against malware, study finds

The kinds of advanced malicious software threatening most companies have proven to be nearly impossible to stop, says a new FireEye report.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
2 min read

No matter if you work for a government contractor or a top legal firm, there's a good chance your company's computers are infected with malicious software.

That's a conclusion reached by FireEye, a computer security analysis and consulting firm, which released on Thursday a new study detailing how most companies are more vulnerable than they may think.

A study has found that malware is more pervasive and doing more harm than most people realize. GREG WOOD/AFP/Getty Images

Dave Merkel, FireEye's technology chief, said he wasn't surprised by the results, which followed a similar study published in May. Today's hackers are more sophisticated and eagerly adopt the latest in hacking methods, the way consumers go after the latest smartphone.

"More and more, you're dealing with a professional attacker, whether that's a nation-state or organized crime," Merkel said.

For its study, FireEye checked logs from its cybersecurity tools that monitored attacks against more than 1,200 companies in 20 industries. It found that malware, as it's called, is more pervasive and doing more harm than most people realize.

FireEye's findings cast a damning shadow over the cybersecurity industry, which has convinced businesses that their software and computer tools are all a company needs to protect itself from would-be hackers. Fortune 500 companies are expected to spend $76 billion on computer and network security this year, up from $71 billion in 2014.

But FireEye says the money may be a waste, and those expensive protection tools appear partially effective at best.

Every retail, agriculture, education, health care and transportation business FireEye monitored in the study was successfully attacked, the firm said. Malware also infected 91 percent of entertainment and media organizations during the six months of the study, from January 2014 to June 2014.

This graphic from FireEye's study gives an overview of how poorly the companies involved tested. FireEye

Retail and entertainment organizations may be the least protected against attacks, but the company said other agencies weren't much better. The security firm penetrated defenses at 76 percent of aerospace and defense firms, an even worse finding considering those two industries are routinely attacked by various governments.

Perhaps most concerning, FireEye said the most common way the attacks happened was through email and websites, which install new variants of old types of malware on victims' computers. FireEye says the malware variants are changing faster than older technologies can adapt, and new responses are needed.

Companies often take a set-it-and-forget-it approach to security, compounding the problem. They also often rely only on basic protections like antivirus programs -- technology that hasn't changed much in the past two decades -- leaving them vulnerable.

Attacks like the one that wreaked havoc on Sony Pictures may not be preventable, but damage from them can be reduced. One way would be to keep sensitive files on computers with strictly regulated or even no access to the Internet, said Tyler Shields, a security analyst at Forrester. "If you're really worried about losing copies of your films or emails, make sure they're on an isolated system," he added. "Companies haven't done that."