**2. Related work**

There is a wealth of literature covering many aspects of malware impact, including data protection and privacy, big data risks, and AI defense mechanisms as discussed in the following subsections. In this chapter, we restrict our attention to the areas relevant to malware detection in SMEs by implementing AI.

### **2.1 Data protection and privacy**

Data protection against malware is the biggest challenge facing the industry, and in general, malware represents a classic example of a confidentiality breach exposing personal data held by a company on its servers [6]. Trojan Horse Virus is a type of malware when downloaded to a computer resembles a legitimate program, the hacktivists use social engineering to infect computers with it [7]. Most Trojans are designed to take control of a user's computer to steal data and feed more malware in the process, and when once a host computer is infected, they pose significant threats to the business. However, they do not particularly target large organizations, and according to the reports, 29% of cybercrimes affecting SMEs were caused by malware attacks [8]. The Trojan viruses rely on human error [9], and unlike other forms of malware, they do not simply appear on a machine and start damaging the system on their own, and need to be manually opened, when triggered [9] have the capability to delete, block, modify, copy data, and disrupt the performance of the computers [10] by causing damage to the organization's data and personal data collected, processed, and stored in them.

Phishing is another variant of cyber-attack used by the hacktivists to victimize users by unethically persuading the victims to disclose personal and other critical information, and they do this by asking the user to perform standard procedures in personal data handling such as clicking on a connection to download files and applications [11]. The attackers use this technique to transmit malicious links containing viruses as worms, and if the victim followed the given instructions, the attacker would have access to private systems and personal information held in them. The staff can easily be caught unaware of the dangers due to a lack of knowledge and slackness in concentration and leaking personal data to the outside world would cause immense damage to the organization with serious repercussions. In the period between 2013 and 2015, in an extended phishing campaign, the attacker sent faked invoices impersonating Quanta (a Taiwan-based company) as a vendor, to Facebook and Google and both companies were tricked out a sum of \$100 million in payments [12]. Eventually, Facebook and Google discovered the fraud and took legal action through the US legislature [12]. This clearly indicates that large companies are not immune, and the studies reveal that phishing attacks are among the most common cyber incidents that SMEs are likely to be affected and fall victim to [1]. For instance, the cybercriminals made concerted efforts to compromise accounts by using phishing emails with the subject 'Covid-19' [1], taking advantage of the concerns arising from the pandemic.

According to the National Cyber Security Centre (NCSC), ransomware is one of the most immediate dangers to UK businesses and other organizations [2]. 'Ransomware' is a particular variant of malware that collects data and network devices, and encrypts them, preventing user access [13], and access can be restored only by agreeing to the hacker's demands for paying the ransom. However, it is not always possible to regain access to locked data as the hacktivists can refuse to unlock the devices until the ransom is paid, or even after making the payment; in such a scenario, the organizations will incur data and final losses, whilst also end up with a damaged reputation in the eyes of the public. Hackers have targeted a range of industries, Automotive, Business services, Food and agriculture, Healthcare, Insurance, Law enforcement, Oil and gas, and Tech, demanding ransoms [14], and SMEs have not escaped harassment from the criminals. The reports suggest that many SMEs tend to assume that 'higher value targets' such as critical infrastructure and larger organizations, are likely to be prime targets [2], but the statistics suggest that 82% of Ransomware Attacks also target Small Businesses [15]. The inference drawn from these statistics is that the primary objective of hackers is to obtain data regardless of the size of the organization. The reports also suggest that, in the recent climate of cyber incidents, ransomware attacks have become a menace to organizations as well as to individuals hindering timely access to their personal data [16]. Therefore, any organization collecting, processing, and storing information should stay alert to the threats.

Another malicious software is known as 'Spyware, which is a malicious software/ apps (malware) stealthily installed to monitor and track device activity [17]. It allows the attackers remote access to the victim's devices, and it enables the hackers to invade the privacy of the people by reading messages, listening to phone calls, accessing photos, viewing browsing history, capturing, and transferring audio and camera recordings in real-time [18]. According to the statistics, spyware is the third most popular malware used in attacks against organizations in 2021, and it is the second most used in attacks on individuals [19]. In January 2020, a United Nations (UN) investigation discovered that the Amazon CEO's (Jeff Bezos') smartphone was targeted by spyware and several megabytes of data was extracted from it over a considerable period (months) [19]. The UN report identified Pegasus spyware, which was created and sold by Israel-based NSO Group, as the intruder, and another investigation conducted by Amnesty International's cybersecurity team identified the same spyware as the intruder found in the phones of hundreds of people [19]. Therefore, those organizations dealing with personal data need to be aware of the reality of the threats and have preventative mechanisms to deter spyware attacks. The failure to do so will allow hackers to obtain sensitive data and sell captured data through spyware attacks on the Dark Web, and consequences leading to immense damage to personal privacy in the first place, and eventually with threats to national security.

Adware is another (unwelcome) software designed to throw advertisements up on your screen, and they piggyback on another program to trick you into installing it on your PC, tablet, or mobile device [20]. Once the user's device is hijacked by the adware, it detects the location, collects information about the Internet sites visited, and presents advertising pertaining to the types of goods or services searched by the user [20]. There is also a risk of data being shared with third parties, and that amounts to a violation of personal privacy. The threat posed by adware is not limited to large companies, regardless of the size of the organization it affects everyone, and

## *Detection and Minimization of Malware by Implementing AI in SMEs DOI: http://dx.doi.org/10.5772/intechopen.108229*

the consequences can range from threats to personal security as well as to national security.

Malware, in general, represents a classic example of a confidentiality breach extracting and exposing personal data held by a company by hacking and downloading personal data from systems and devices [6]. In the process, malware cause interruptions to the network of the enterprise irrespective of the organization's size. Malware also has the capability to record browsing history, monitor applications being used, and make copies of personal information like user IDs, passwords, and bank account details. That is not all, Malware by hacking the network of an organization can affect the confidentiality and integrity of personal data and delete/edit/ steal personal data. In some cases, malware can potentially disable critical services offered by the company, and that will make the services unavailable to the clients with consequences damaging the image of the organization's reputation, affecting trustworthiness, and contributing to financial losses.

Data is valuable to any organization whether it happened to be large or small, and the crucial issue is that it is a sellable item and anyone getting access to it can make money by selling it to the highest bidder on the dark web. Data is wide-ranging and consist of information about the organization, and sensitive personal data about the employees and the clients, and the onus is on the respective organization to ensure the security of that data by having in place adequate data protection mechanism in compliance with data protection regulations applicable at the regional or country level. For example, an organization in the UK collecting, processing, and storing information about their customers, has an obligation to follow data protection mechanisms/ guidelines set out in UK GDPR that is on par with the EU regulations. Therefore, it makes any organization outside the EU engaged in commercial activities processing information of the citizens of the EU also bound by EU GDPR.

The application of the GDPR does not depend on the size of the organization. Whether it is an SME or a large organization in the EU or UK, if they collect, process, and store data, they should abide by the GDPR regulations. However, some of the obligations of the GDPR may not apply to all SMEs with less than 250 employees. For example, SMEs do not have to keep records of their processing activities unless the processing of personal data is a regular occurrence, poses a potential threat to individuals' rights and freedom, or includes sensitive data or criminal records [21, 22]. Also, SMEs are required to appoint a Data Protection Officer only if the organization is processing data as part of the main business, and it may also pose threats to an individual's rights and freedoms [22].

A common misconception was that the GDPR would only be looking into the data protection practices of large multinational enterprises. The €50 m fine imposed on Google by Commission Nationale de l'informatique et des libertés (CNIL) or the €204 m fine imposed on British Airways were high in comparison to what had been imposed on smaller enterprises [23]. However, a CNIL had imposed a fine of €400,000 on the real estate firm, SERGIC, whilst the less performing advertising Agency, QuickClickNow, was served with a fine of only €47,000 by the Polish Data Protection Authority [23].

GDPR stipulates that data breach of any kind associated with any variant of malware attack, the data subject, and the relevant authorities should be notified within 72 hours [6], and data breach notification should include the details of the nature of the breach. These are specified as personal data, the name and contact details of the data protection officer, contact point for obtaining additional information, consequences of the personal data breach; description of the measures taken or proposed

to deal with the data breach, and description of the measures taken to mitigate any adverse effects, clear advice on the steps that the individuals should take to protect themselves, and what assistance the organization would be prepared offer them [24] This framework of data protection mechanisms would provide the organizations the knowhow and competences to deal with malware-related data breaches with confidence and to avoid the damage and impact on the reputation and trustworthiness of the organization.
