The rise of new and unknown threats in the late 80’s led us to servicing businesses and governments in central Europe. By the Late 90’s malware was increasing exponentially and we felt the need to improve our product, so we decided to give it for free, out of the belief that consumers will test it and give us feedback that will help us improve. By the year 2000, we had tens of millions of users, and individual consumers became an important part of our work. Consumer demands were driving the IT evolution, and we released more and more products that go way beyond anti-malware. We consider the free model an important part of our story. Everyone should have access to a safe internet, they go to websites and download files, and we’re giving them feedback & analysis. We look at things like device security, data loss prevention, privacy violations, browser history, identity management and passwords. The last building block is how to manage IT systems with multiple devices and services. Being in the middle, we noticed that performance and security are closely related. People tend to think that security and performance contradict, and that in order to get security one must compromise their performance. What we have come to learn is that - as we use best coding practices and keep our machines up to date - good performance actually makes our products safer.
How do you manage to provide free antivirus? And how is it different from your premium service?
The evolution of our company, which includes all of our technologies and solutions, has been very focused on the consumers, as they evolve in the connected world. Part of our service is free to all users who can benefit from it. If you look around the world, millions are using our free products. But essentially, it is a consumer-oriented Freemium model, with many features that can be purchased to expand the basic package in different ways.
What are some other misconceptions regarding antivirus?
People believe that certain devices are not vulnerable and that’s a big misconception. Malware authors are targeting popular devices so really, nothing is sacred anymore. Another common misconception is that you can only get infected if you download files and programs, but the fact is that vulnerabilities can be exploited even through files and documents within the browser, using JavaScript injections. Anti-malware technology protects you on the device level. The last issue that not many talk about is the issue of trust. The malware community is targeting users based on their level of trust, and this is what we call social engineering. If I present myself as someone you know, there are higher chances you’d open my email or download my files. At the bottom line: assume nothing is trustworthy and only talk to people you know.
How do you explain the duality between the rise of internet surveillance on the one hand and privacy protection regulations on the other hand?
Within the last 18 months we’ve released many products in this arena, from basic browser extensions, tracking web connections, chrome based browser, VPN, and apps for iOS devices. 2 things are happening: Most people don’t realize that their right for privacy is constantly being violated. We should all keep a level of awareness that what you do online belongs to you, and that you get to decide how public you want to make it.
Many have criticized IoT as being a threat to personal privacy and security. What are your personal views on this? What type of solutions can Avira offer to people using IoT devices in their homes?
Technology evolution is always based on features and functionality, leaving security second in priority. Users expect the manufacturer to protect them, but they don’t demand it, they demand functionality. Last September we saw the big IOT denial of service attack, when baby monitors were being tracked. Those incidents could have been predicted as there were preliminary indicators of unusual behavior, but like I said, security is not a top priority from the users perspective, and therefore manufacturers and developers don’t invest enough in that area. Lighting heating, CCTV, sensory active networks - They all have a particular purpose and behavior which you can quickly define through their control center. A good strategy would be to monitor unusual behavior so if somebody breaks in you can see what they do. You can’t do much on the device level but you can watch the network and recognize unusual behavior. Currently Avira doesn’t offer any products that are specific for IOT systems, but going forward, we are looking at certain vendors to increase their product security by providing a solution that helps the end user monitor the network activity.
Avira has recently been targeted for a malvertizing campaign. Please summarize this experience, what did you do to tackle it? How has it affected your reputation as a company?
Social engineers are performing this kind of psychological manipulation all the time. Resolving it remains a challenge. When you have a popular product and people know you’re a trustworthy vendor, there will always be someone who would try to advantage of your users and the fact that they trust you. If they manage to get someone’s trust they’ll capture their identity and inject something into their device for their own advantage. Protecting our own products to make sure they don’t get attacked by mafia, governments or advertising agencies is an ever-lasting cat and mouse game. Then there are those who think that in order to solve this, they should go for a less popular company that’s less likely to be targeted. But that creates an opposite problem: obscure companies don’t have the visibility to know what the dangers are, and if they do get targeted, they will usually try to hide it. With us, if a scam like that is being attempted, our users would be the first to know about it.
What would you advise to companies experiencing similar attacks?
Our products are our own technology which we sell to other companies like McAfee, so first and foremost we use technologies that we know are bullet proof. Protecting your brand is a bit different; it’s an act of constantly watching social media channels to know what’s happening. Make sure that your sensors are on. Tweets or weird traffic on your website can be early indicators that you’re being targeted for a scam. If you find anything suspicious, you should react quickly; contact your ISP, local cert or security vendor, or start a PR campaign, depending on the type of attack. There is no one solution that fits all.
How do you see the future of internet security in 5 years from now?
Cyber security is addressing the silent attack. It’s a basic principle by which, as a consumer of digital devices, you will not be able to recognize that you’ve been hacked; this will still prevail in 5 years. With sneaky data mining techniques, attackers will be able to get whatever information they want, and still remain silent. We are already on the verge of a digital revolution where everything is connected: our laptops our cars, our lighting and of course our phones, so threats are increasing to an exponential level. Vendors like us have to match 2 evolutions: There’s a balance of education that needs to be met. We all know there is a solution we need, we call it vpn because that’s the technology that is used, but my grandfather and daughter don’t understand what that term even means. A one-click install is the biggest challenge which, if met, will allow many more users to take advantage of available security solutions like ours. We are trying to go in that direction with our free and prime security suites. Everything we have as a company which you can purchase or download, we will ensure your devices will get the newest solutions we have to offer.