Accessibility Tools

Skip to main content

Cyber Essentials Certification - Malware Protection

Cyber Essentials Malware Protection -

When attackers attempt to compromise systems, they often try to do it by loading some sort of malware code onto your device, Cyber Essentials deals with this by ensuring that organisations have strong practices to protect their devices from being compromised easily.

This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.

 Glossary Terms in this Blog Article - hover to view, click for full glossary.



Research has shown that:

  • In 2015 the global cost of malware each month was $500 billion, the estimate for 2021 so far is $6 trillion;
  • Out of 50,000 security incidents, email was the entry point for 92% of them;
  • In 2017 61% of breach victims had less than 1000 employees;
  • 60% of Organisations have understaffed cyber security teams.

For cyber criminals the use and spread of malware as their mode of operation is big and will continue to get bigger, whilst Organisations are under resourced to protect themselves. This is where the Cyber Essentials control requirements come in.

Default sample awareness and knowledge infographic

What Organisations get Wrong with Anti-Malware Protection

For cyber security professionals, anti-malware protection has always been a no-brainer, as the controls are relatively low or zero cost. But somehow this message hasn’t got through to all Smaller Organisations, some of the factors include the following:

  • Smaller Organisations are more likely to believe that they won’t be targets, so in believing the low risk of attack they don’t take the precautions they should.
  • Smaller Organisations don’t appreciate the rising increases in malware on all platforms, not just Windows, but on Apple operating systems, as well as all mobile platforms. The rise essentially means that the risks are increasing from one year to the next not staying the same.
  • Smaller Organisations are more likely to believe that they have done enough to stop malware and not review their controls regularly.
  • They selectively (or mistakenly) take one piece of information on controls, whilst ignoring the others – for example, they may have heard they it is not necessary to use paid-for anti-malware applications. So, they rely only Windows Defender, without considering patches (and critical updates), or to login to their devices as a non-admin user. As we have covered previously applications including malware can only be installed when a user is logged in as an administrator, and that most malware exploits vulnerabilities which were included in patch updates.
  • Smaller Organisations don’t appreciate the principles of defence in depth or the layered approach and are less likely to utilise more than one or two layers, on the assumption that every layer is additional work for someone to maintain, or a blocker to getting things done.
  • Even though ransomware as a form of malware has been in the news, boards of Smaller Organisations don’t necessarily identify this as a risk to their organisation as something that can devastate their Organisation. In fact, in some cases, due to the high-profile examples in the press, leads them to re-enforce their view that only larger organisations are likely to be attacked.
  • Not appreciating that some types of malware spreads without any interaction.
  • A high percentage of malware is spread via links clicked in emails or other websites, so making use of filtering services is much more important than they realise.
  • Phishing campaigns are successful because they are geared to catch out a small (3-8) percentage of users who are either busy or not paying attention for some other reason. Smaller Organisations often don’t educate their users on spotting phishing attacks, or don’t have adequate anti-phishing filtering in place.

As can be seen in many cases, it’s about a lack of education and awareness of the actual risk to their organisation.

What is the Aim of Anti-Malware Controls?

The obvious answer to this question is to stop malware, but in fact the answer goes far deeper than a simple response, and includes the following:

  • To stop any unauthorised applications being installed and causing any damage or harm.
  • Reduce data leakage and theft resulting in loss of business or assets.
  • Reduce data breaches.
  • Reduce Ransomware and other costly malware extortion.
  • Reduce the likelihood of resources being used without permission (for example, processing power being used for bitcoin mining).
  • Reduce the likelihood that access credentials used for partner, customer or supplier logins are not used to compromise them or their services.
  • Reduce the likelihood of any of the (previously mentioned points) above leading to non-compliance or regulatory fines.

We’ve used the word ‘reduce’ often here, as there are many negative outcomes that Organisations are likely to be wanting to avoid through this group of controls.

Impacts of not Responding to Malware as a Threat

Organisations which have had malware will testify that they were impacted in multiple ways all at the same time. Some of the impacts include the following:

  • Operations are interrupted – this means staff and other costs are still being paid with no work able to continue.
  • Theft or loss of data and other assets – (including exfiltration of data), depending on the operating sector, this may be anything from confidential data through to banking authentication credentials.
  • Extortion – ransomware is currently the number one malware the public is aware of, but we already know that any data breach may lead to extortion through the threat of disclosure to the regulator.
  • Consumption of resources – control, use or diversion of resources may cost the organisation on services that are being used for activities by criminals, e.g., for crypto-mining.
  • Regulatory fines – it is possible that even if an Organisation experiences all of the above, it could still be hit with a fine, unless it can demonstrate it took reasonable measures to protect itself.

Organisations in different sectors will be exposed to more specialised impacts, but on the whole no organisation will escape impact after a malware infection.

Default sample Threat Map infographic


This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more. 

Images from