Software download risks: what every SME needs to know
Downloading software from the wrong source can cripple your business in hours. Here are the real risks and how to avoid them.
Is downloading software from the wrong source really that dangerous?
Yes. And the problem isn’t the exception — it’s the rule. According to the 2025 national cyber maturity barometer for small businesses published by cybermalveillance.gouv.fr (France’s national platform for cyber threat prevention), 16% of businesses surveyed reported experiencing a cyber incident in the past 12 months. Among the most common vectors: software downloaded from unofficial sources.
A team member grabbing a free tool from a third-party site, a pirated application to save on a licence fee, an update received by email… Each of these actions can introduce silent malware onto your network. In 15 years of working with SMEs in Reunion Island and mainland France, we’ve seen businesses locked out for days after a compromise that started with a single poorly-sourced executable.
What counts as a dubious source for software?
A dubious source is anything that doesn’t come directly from the software’s official publisher. It takes several very concrete forms.
Download aggregator sites (Softonic, CNET Downloads, and similar platforms) have long been popular. They often wrap original installers in their own packages that add toolbars, change browser settings, or silently install adware. It’s not illegal — you technically “accepted” something by clicking “Next” too quickly.
Cracked versions and serial generators are in a category of their own. Behind the promise of commercial software for free, you’re downloading an executable whose contents you cannot verify. ANSSI (France’s national cybersecurity agency) is explicit on this in its cybersecurity guide for small businesses: software from uncontrolled sources is a direct gateway for attackers.
Download links in unsolicited emails are the third vector. An email claiming to send you an Adobe update, a “new version” of your accounting software, or a tool signed by a “partner” you’ve never dealt with — same format, same visual presentation as the original, with a booby-trapped executable inside.
What types of malware are introduced through downloads?
Almost all of them. But some are particularly common in this context.
Ransomware encrypts all your files and demands payment to recover them. In 2022, 40% of ransomware attacks in France targeted small or mid-sized businesses according to ANSSI. The average cost of a ransomware attack exceeds 200,000 EUR when you add up downtime, data recovery, and crisis communication — not to mention that 75% of French businesses affected choose to pay the ransom (Channelnews, 2024), with no guarantee of success.
Banking trojans work differently: they embed themselves in the browser and silently capture your login credentials for online banking. Your accountant connects to the bank, the trojan sends the codes to the attacker. You notice nothing for weeks.
Spyware and keyloggers record everything you type. Passwords, client data, contracts being drafted — everything is exfiltrated. A legal sector SME we assisted after an incident had suffered three months of data leakage before anyone realised what was happening. The source: a scheduling tool downloaded from a third-party site.
Cryptominers use your machines’ resources to mine cryptocurrency for the attacker. Visible symptom: workstations become abnormally slow, fans run at full speed constantly. Less destructive than ransomware, but indicative of a compromise you haven’t detected.
Why are SMEs particularly exposed?
Nearly 60% of malware attack victims are small and medium-sized enterprises (Cyber Cover, BSA data). The reason isn’t technical — it’s about resources and culture.
In a large enterprise, the list of authorised software is defined by a centralised IT policy. Nobody can install anything without approval. In a 15-person SME, reality is often different: employees have admin rights on their workstations, download what they need when they need it, and nobody validates sources.
The second factor: budget. A Photoshop licence is expensive. The temptation to use a crack is real, especially for occasional use. But the calculation doesn’t hold up against the cost of a compromise. The cybermalveillance 2025 barometer confirms it: less than 2,000 EUR invested annually in cybersecurity for three-quarters of the small businesses surveyed — a clearly insufficient budget given the risks.
Checklist: how to secure software downloads in your SME
This isn’t about an enormous budget. These are operating rules that any SME can apply.
Before installing anything:
- Go directly to the publisher’s official website. Typing the software name into Google and clicking the first result is not enough — malvertising campaigns regularly place fake sites at the top of sponsored results.
- Check the installer’s digital signature. On Windows, right-click the executable > Properties > Digital Signatures. If the field is empty or the signer doesn’t match the expected publisher, don’t install.
- Verify the file hash. Most publishers provide the SHA-256 hash of their installers. Compare it using
certutil(Windows) orshasum(macOS/Linux) before running. - Submit the file to VirusTotal before installation. It’s free, takes 30 seconds, and runs 70 antivirus engines.
For fleet management:
- Remove admin rights from user workstations. This is the single measure with the best impact-to-effort ratio in cybersecurity according to ANSSI. Malware executed without admin rights cannot install itself deeply in the system.
- Deploy an application whitelist (via GPO or Microsoft Intune). Only IT-approved software can be installed. Everything else is blocked by default.
- Keep software up to date. 80% of successful exploits target known vulnerabilities for which a patch already exists. An up-to-date system is a far less attractive target.
- Enable anti-execution protection in your EDR or antivirus. Modern solutions (Microsoft Defender, CrowdStrike, SentinelOne) can block execution of unrecognised files without human intervention.
When in doubt:
- Don’t install. Contact your IT provider before taking a risk you can’t manage.
- If software has already been installed from an unverified source, consider the workstation potentially compromised. An antivirus scan isn’t enough — a clean reinstall is often the only guarantee.
The special case of “free” software downloaded at work
Legitimate free software exists. LibreOffice, VLC, 7-Zip — these are serious open source tools, actively maintained, downloadable from their official sites without risk. The problem isn’t free software itself.
The problem is supposedly free software that funds itself by other means — collecting your browsing data, installing unwanted extensions, reselling your usage habits to advertising networks. In a business context, this can also expose sensitive data about your clients, suppliers, or finances.
The simple rule: if you’re not paying for the software and you don’t understand how the publisher makes money, ask the question before installing. For professional tools, even a modest subscription with a reputable publisher costs infinitely less than a compromise.
What to do if dubious software has already been installed?
A few cases we’ve handled give you an idea of what you risk if you let the situation drag on.
An 8-person accounting firm in the Paris region: an employee downloaded a PDF utility from a third-party site. Two weeks later, online banking credentials were compromised. Result: 48 hours of investigation to identify the vector, reinstallation of 3 workstations, changing all banking and business credentials. Estimated total cost: 4,500 EUR (service fees + downtime).
If you suspect a dubious installation, immediately isolate the workstation from the network (disconnect the Ethernet cable or disable Wi-Fi manually, not through Windows which may itself be compromised). Call your IT provider before touching anything. Don’t reboot — some malware triggers its payload on the next restart.
A quick audit with a tool like Autoruns (Microsoft Sysinternals) can identify processes that start automatically and shouldn’t be there. It’s the first diagnostic step we take on a suspect workstation.
The often-forgotten GDPR dimension
Malware introduced through a dubious download that exfiltrates client data triggers a mandatory notification to the supervisory authority. In France, this is the CNIL; in the UK, the ICO; across the EU, your national data protection authority. If personal data of clients or employees is compromised, you have 72 hours to report it. Failure to comply can result in penalties, even if your good faith is not in question.
The CNIL states in its GDPR guide for SMEs that data processing security is a legal obligation — not an option. This includes controlling the software installed on workstations that process personal data.
What ECLAUD IT implements for its clients
On the IT estates we manage, download and installation management is part of the baseline measures included in our contracts. In practice: removal of admin rights on user workstations, deployment of Intune policies to control what can be installed, real-time security event monitoring via EDR alerts.
When an employee needs software, they submit a request — we validate the source and install it properly. It’s not an additional burden for teams: it’s often faster than searching on your own, and without the associated risk.
If you don’t yet have a clear IT policy on this topic, an audit of your IT estate provides a status report in 2 hours: installed software, sources, versions, user rights. That’s often where the first surprises are found. Our managed IT services and IT maintenance packages include this ongoing fleet monitoring. Discover all our IT services for SMEs.
See also: our secure remote work guide, the SME IT audit checklist and our SME backup guide — because a solid backup remains your last line of defence if malware gets through anyway.
Frequently asked questions
What are the risks of downloading software from dubious sources?
The main risks are malware installation (ransomware, trojans, spyware), theft of credentials and sensitive data, and compromise of the entire company network. According to ANSSI, software from uncontrolled sources is one of the most common attack vectors against SMEs. A single malicious executable can paralyse a business for days.
How can you verify that software is safe before installing it?
Download only from the publisher’s official website, check the installer’s digital signature (right-click > Properties > Digital Signatures on Windows), compare the SHA-256 hash with the one published by the vendor, and scan the file on VirusTotal before executing it. These four checks take less than 5 minutes and cover the vast majority of risks.
Are cracked or pirated software really dangerous in a business environment?
Yes, systematically. A cracked executable almost always contains code added by the crack distributor — and that code rarely does anything benign. Beyond the security risk, using unlicensed software exposes the company to direct legal liability. The cost of a legitimate licence is always lower than the cost of a cyber incident.
What should you do if an employee has installed software from a dubious site?
Isolate the workstation immediately from the network (disconnect the Ethernet cable, don’t go through Windows settings). Contact your IT provider before any further action. Don’t reboot the workstation. A quick audit with Autoruns can identify suspicious processes. If a compromise is confirmed, a clean reinstall is generally preferable to a partial cleanup attempt.
