According to Threatpost, more than 10,000 users have been affected by a growing "malvertising" ring, which posts fake ads that contain malware. The astonishing thing about this network of malvertisers is that they have even managed to get dangerous ads placed on big-name sites like YouTube and Amazon.
Malvertising is when hackers embed innocent-looking ads on sites, and when clicked, these “ads” secretly download malware to a user's computer. Like phishing attacks, these schemes are especially troubling for your small business clients because they attack at the user level. You can't watch over every user's shoulder, and there's little you can do to prevent one from mistakenly clicking on a malicious advertisement.
While attacks like this have been around for years, this latest version of malvertising – dubbed Kyle and Stan– is one of the more advanced malvertising attacks we've seen. It tailors its malware to users based on what OS they’re running.
What Does Malvertising Mean for IT Consultants?
In our blog post, "Re: Your Recent Spear Phishing Attack," we profiled how hackers were beginning to modify spear phishing attacks to target small businesses, launching fewer but more carefully crafted attacks. Advances in technology and the proliferation of data have made it easier for hackers to steal from small businesses.
The growth in malvertising fits the same pattern. Smarter attacks are designed to target large companies, small businesses, and individual users. Unfortunately, many small business clients probably don't have the technology – sandboxing / advanced malware scanning software – to catch these attacks before they infect their network. That's especially true for BYOD workplaces.
There are three things IT consultants need to keep in mind:
- Attacks are harder to spot and prevent, especially for clients that don't invest heavily in network security.
- IT consultants have a greater financial risk because of the possibility of data breach lawsuits.
- IT consultants have to work with clients to educate them about threats that target their business on an individual and company-wide level.
But now for the million-dollar question: how do you manage these new risks?
Three Ways to Manage Malvertising Threats and IT Liability
Here’s what you can do to reduce your risk of lawsuits, prevent data breaches, and cover your financial risks:
- Get clients to invest more in data security. This is easier said than done. But even if your clients don't want to spend a lot on their security, have them take small steps, such as upgrading software and phasing out old machines.
- Carry IT Insurance. After a malvertising, spear phishing, or other cyber attack, a Professional Liability Insurance policy can cover your legal expenses (and damages you owe a client). If your network software doesn't catch a malware intrusion, you can be sued for negligence. Even if you aren't responsible, a client could file a lawsuit in an attempt to recoup some of the cost of a data breach.
- Educate clients. This can help prevent data breaches, but it may also limit the risk of lawsuits. By informing clients about threats and teaching them how to avoid exposure, you increase the chance that you won't be held responsible when a breach occurs.
To learn more about covering your IT risk with insurance, contact a TechInsurance agent at 800-668-7020, or submit an online insurance application to receive free quotes.
