It's been a long compromise-filled road with billions of victims along the way, but businesses are finally embracing the need for creating a culture where good cyber hygiene is emphasized and rewarded. But how much is enough?
It is increasingly common knowledge that email attachments can be dangerous. And most people these days know that they should be using a harder to guess password than "password" or "123qwe." That said, there's still a looming threat lurking out there that can bring everything tumbling down, one that many companies choose to ignore. I'm talking about the use of unlicensed or pirated software.
A recent study by the U.S.-based Software Alliance (whose members consist of technology heavyweights including Apple, Microsoft, Symantec, Siemens, and others) found what you might expect: i.e., that the use of unlicensed software increases the risk of a cyberattack by over a third.
If that sounds like an acceptable risk, consider for a moment that the same report found that 37% of all software running on PCs today may be unlicensed. This ranges from individual contractors to large organizations, including Nike.
The risk isn't just limited to businesses. There was a well-publicized controversy last year regarding Kaspersky Labs, which hacked an elite NSA worker who had disabled the security software on his computer to install a pirated version of Microsoft Office. If a highly-trained security specialist will take such a huge risk, imagine the threat level posed by an untrained employee.
What's the difference between unlicensed and pirated software?
The terms are often interchangeable, but unlicensed software is software that's being used in violation of the user terms and conditions.
This can be as simple as reusing a key, or the act of copying software from one machine to another without purchasing a new license.
Pirated software is distributed via file-sharing clients like BitTorrent, or made available on black market sites--virtual and otherwise. Pirated software often has patched code to circumvent copyright restrictions and/or licensing.
An Open Secret
One of the main issues at hand is that many companies have a "don't ask, don't tell" policy when it comes to unlicensed software. If a business owner has an employee who is able to get their work done, there's not a lot of incentive to intervene or check if they've paid for all of the software used to do that work.
Now think about the number of machines that touch a single file on its way to becoming finished work product. Even with the most rigorous cyber hygiene, the moment work is executed on an employee's home computer, or by an external contractor, there can be zero control. It is an exercise in futility to attempt 100% certainty that each time a document is edited, an email is forwarded, or a media file is created that it was done on machines running fully licensed software.
Why the risk?
Given that most unlicensed or pirated software looks and works almost exactly like the licensed version, the risk in using it may seem acceptable. But consider how often your devices prompt you to download a security update for the software you use.
They all matter.
The very nature of unlicensed software means that it isn't getting updated (you're definitely not getting those update prompts). Even if you're aware that there is a vulnerability and a patch available, you can't exactly go to the developer to request that patch, when you didn't pay for the software and they have no idea who you are. And that means each security hole that wasn't patched at the time of installation is there, ready to spring a leak.
Then there's pirated software. While there is a dazzling array of software for the seemingly low price of zero dollars, the very nature of getting around a developer's licensing means hacking it. As the NSA agent previously mentioned found out, you might want to be on the lookout for getting hacked by the hacker that hacked the pirated software you're running.
What can be done?
Software Asset Management: For larger companies and organizations, the business practice of software asset management (SAM) is deployed to automate and mitigate the headaches associated with making sure that all software is properly licensed, purchased, and installed. One of the main advantages of this approach is that it yokes business strategy and legal considerations to what would otherwise be an IT decision. The more integrated approach to security helps ensure wider compliance and adoption.
The main drawback is that a company struggling to pay for a version of Photoshop for one of its employees is extraordinarily unlikely to commit the resources required.
Open Source Alternatives: There are free alternatives for most of the commonly used software out there, including word processing, email, video editing, image editing, and so on. A quick search for one of these before looking into pirated versions can most likely fulfill the need without risking the use of pilfered software.
Just Pay for the Licenses: It sounds easier said than done, but any business depending on software it hasn't paid for is being penny wise, because the cost of a compromise can be astronomical--if not an extinction level event.
The need for greater cybersecurity in business presents a cultural challenge: at its core is a question of values--and the value-add of doing things right. At the end of the day, using pirated or unlicensed software is the equivalent of leaving all your worldly belongings on the curb.