Antivirus has been a foundational element of protecting endpoints at small and medium-sized businesses for going on three decades. During that time, the threat landscape has changed dramatically. Thanks to the proliferation and commodification of sophisticated hacking tools, SMBs are now seeing the types of attacks formerly leveled almost exclusively at governments and large enterprises.
These new attacks — and the inability of antivirus to block them — have eroded organizations’ trust in their existing solutions. According to a recent survey conducted by the Ponemon Institute, less than a third believe their antivirus can stop the threats they are seeing.
As a result, organizations are exploring their options. One third of respondents to the Ponemon survey reported they had replaced their antivirus with a competitor’s offering or a next-generation endpoint protection solution in the past 12 months. 50 percent confirmed they had kept their antivirus but supplemented it with additional solutions designed to provide better protection and/or detection and response capabilities.
While maintaining legacy antivirus alongside new protection may work for larger companies that have the budget and staff to take on and manage multiple solutions, it may not always be an effective option for small or medium-sized businesses. How do you know when it is finally time to cut your legacy antivirus loose? Here are three key signs to consider:
1) There are attacks your antivirus is not blocking
At its core, antivirus has one job to do: keep endpoints from being infected or compromised. Unfortunately, its primary method of doing that job — scanning static files to determine if they are potentially malicious — is extremely narrow and limited considering the variety of attack techniques we’re seeing today.
As Gartner points out, “Endpoint protection platforms that rely solely on signature-based malware detection are not completely effective when it comes to repacked or new malware until new signatures are distributed.... Organizations...are essentially unprotected until all their endpoints are updated with the latest signature.”
Even next-generation antivirus solutions that supplement signature matching with machine learning are still limited to scanning, analyzing, and quarantining static files written to disk. Many of today’s attacks have evolved to exploit that limitation, adopting fileless delivery techniques, instead. These are no longer theoretical threats. According to Ponemon, 77% of attacks that successfully compromised organizations in 2017 utilized fileless techniques.
The inability to block today’s evasive and fileless threats is one of the top reasons organizations cite for replacing their antivirus.
2) Your Antivirus is slowing you down
When antivirus isn’t doing its job that’s bad enough, but it can often make it harder for admins and users to do their jobs. Constant updates and file scanning are notorious antivirus pain points. In fact, when Barkly asked IT and security pros what their challenges with their current endpoint protection were, “slows down user machines” was the number one answer.
While it may be common for antivirus products to cause lags, every organization has a breaking point in terms of what they will tolerate. In fact, tolerance for performance issues can sometimes be even lower than tolerance for protection gaps. From an executive’s perspective, improving security may not always be a cause that gets the blood pumping, but lost productivity and downtime are typically quick attention grabbers.
3) Antivirus false positives are wasting your valuable time
The task of blocking new threats that evolve to evade antivirus has become more challenging, and adjustments haven’t come easy for the antivirus vendors. Not only are antivirus products facing growing pressure to identify and block malicious executables that haven’t been seen before (that don’t have signatures), they’re also being asked to analyze a wider variety of files outside their comfort zone (scripts, Office documents, and more).
The answer for many vendors has been to turn to machine learning for help. Machine learning models allow antivirus to move beyond the strict reliance on signature matching. When they encounter new files that don’t have signatures, for example, they can ask the model to make a prediction as to whether the new files are malicious or benign. Not all machine learning models are created equal, however, and the general tendency has been to err on the side of caution and more aggressive flagging. As a result, anything new or out of the ordinary is seen as suspicious. On one hand, that makes perfect sense. "Better safe than sorry" is what security is all about. However, as with performance issues, false positives can quickly cross the line and have a disproportionate, disruptive impact on a business.
According to a recent Ponemon study, on average, companies waste an average of 425 hours a week responding to and investigating false positives, costing them an average of $1.4 million, annually. For small businesses that don’t have security teams dedicated to this time-consuming task, the problem can also quickly have a "boy who cried wolf” effect. Three in ten IT pros admit to ignoring security alerts due to high volumes of false positives.
If your antivirus is inundating you with false positives that’s another sign it’s time to make a switch. Do it before you become resigned to a life of constant whitelisting, or before a dangerous case of alert fatigue sets in.
Moving on from legacy Antivirus
Making the decision to move away from a problematic antivirus isn’t always easy, but it’s become increasingly common and SMBs are doing it in waves. The marketplace has never been more full of options, so the time is right and you don’t have to settle. You owe it to yourself and your organization to see what’s out there and find a solution that can provide you with the strongest protection while making your life easier, not harder. For SMBs looking for help, here is an Endpoint Protection Evaluation Guide that points to key criteria and questions to ask.
