Retailers Fighting Malware With AV Solutions May Not Be Getting Their Money’s Worth
Malware attacks continue to disable point of sale systems at an alarming rate. Every other week there is news of yet another credit card data breach. And while companies are increasing their investments on anti-virus programs to combat it, that may be money ill-spent.
The 2015 Mid-year Point-of-Sale (POS) Security Health Assessment, sponsored by Bit9 + Carbon Black, suggests most malware is significantly craftier than AV solutions. Criminals use PoS malware to exploit a gap in the security of how card data is handled. Card data is encrypted as it’s sent for payment authorization, but it’s not encrypted while the payment is being processed. So it is vulnerable at the moment when the card is swiped at the PoS for payment. And, while anti-virus software is largely ineffective at conquering today’s malicious malware, businesses continue to use security budget dollars in outdated and inappropriate solutions.
The Bit9 + Carbon Black study found that a majority of businesses take security more seriously than ever; of the 150 companies surveyed, 63 percent have increased security budgets during the last two years, many of them as a direct result of publicized breaches. That indicates that retailers are paying attention to the security news out there and recognize investments need to be made.
However, the report notes that while 94 percent of organizations run antivirus on all their PoS devices, a quarter of those companies reported that antivirus software does not provide proper protection. And with a mere 38 percent reporting they have found malware within their PoS systems, it’s likely that many threats are just getting identified. Chris Strand PCIP, senior director of compliance and governance for Bit9 + Carbon Black said in a statement:
It’s shocking that even when they have more budget to spend in the fight against malware so many organizations continue to spend it on antivirus, which cannot see or stop today’s advanced threats and targeted attacks. It’s no secret that we’re seeing an increase in the number and type of attacks against organizations that use point-of-sale devices. The good news is that more organizations are aware of this and are increasing their budgets. But the fact that only 38 percent of organizations have detected malware on their POS systems during the past two years is a major red flag and points to the ineffectiveness of AV.
The fact is that antivirus solutions did not detect the malware responsible for the Target breach; even signature based AV could not have prevented the PoS trojan. Boosting spending on AV is a flawed strategy when trying to fight malware. The Mid-year PoS Assessment found that 62% of respondents said their AV had not detected any malware in two years, although at least 20 different types of malware has been documented during that time.
The best defense is a strong offense. Retailers must lock down computer systems, comply with PCI, monitor network traffic and keep computer systems updated. In addition, merchants should consider advanced threat protection to defeat malware that is evolving more quickly than signatures can be created.