The time is long past when malware reached computers through websites with questionable content, or in the form of a tempting screensaver. Nowadays, cybercriminals hide their code in popular websites with high click rates – or on their own pages that use clever search engine optimization to arrive at the top of search lists. Particularly insidious is the method by which infected links use a sham cover to appear trustworthy – such as with a falsified e-mail address.

It is surprising that many users are not aware of the dangers of drive-by malware downloads. A recent security report by G Data indicates that nearly half of users surveyed are misinformed. For example, nine out of ten Internet users worldwide believe that an attack by malicious code against their PC would cause a recognizable result such as a system crash. On the contrary, today's hackers are less interested in creating exciting drama than in stealing data, and such theft is most effective when the user is unaware it has occurred.

The threat of a hackers taking control of a computer as part of a botnet used to send spam and Trojans is declining, but far from eradicated. Such abuse is often hard to identify, because mass e-mailing is barely detectable at high broadband speeds. Regular, systematic verifications are what can ensure awareness in these cases, such as that proposed by the German Internet industry association at www.botfrei.de in several languages.

Security packages including at least antivirus and firewall software offer basic protection against malware. However, because hackers are constantly adapting their code to take advantage of security gaps in software or browsers, this basic protection must always include regular security updates.

What is important is to gather all measures into an overall approach that includes the IT infrastructure itself as well as security guidelines and regular verification. The variety of available hardware and software (let alone virtualized environments) is greater than ever today – and so complex that even IT administrators can lack a proper overview. A security approach that creates trust, in the sense of the Managing Trust topic, therefore includes consistent documentation of programs and updates. Training is another necessary component of a comprehensive security strategy, because user knowledge can sometimes be a decisive security factor.