Software piracy rates are down across the board and Australian businesses have the world's fourth-lowest rate of software piracy, but the Business Software Alliance (BSA) is raising the spectre of malware-laden pirated software to push levels of unlicensed software use down even further.
“Enterprises first need to understand what has been deployed in their own networks,” the firm's latest Global Software Survey warned in citing an earlier IDC study that found a strong correlation between unlicensed software use and malware infection.
“The link between the use of illegitimate or otherwise unlicensed software and encountering malware is extremely strong.” With an estimated 39 percent of installed software not properly licensed in 2015 – a decline from 43 percent in the previous year – the BSA warned that fully 1 in 4 organisations in governance-sensitive industries like banking, insurance and securities were using unlicensed software. Interestingly, the figures suggested that CIOs were less aware of the threats posed by unlicensed commercial software – which is often used by malware authors as a lure to entice cost-sensitive businesses to install their code – than end-users and consumers.
Some 49 percent of CIOs polled for the survey identified security threats from malware as a major threat posed by unlicensed software – yet fully 60 percent of consumers and workers said the security risk from installing such software was “a critical reason” not to use unlicensed software. Similarly, CIOs underestimated the amount of unknown software that users were installing on company computers – with CIOs estimating that 15 percent of users did so but 26 percent of users saying they did so.
Of those admitting to installing outside software on work computers, 84 percent said they had installed two or more unauthorised programs. “As the report underscores, it is critically important for a company to be aware of what software is on the company network,” said BSA |The Software Alliance president and CEO Victoria A. Espinel in a statement. “Many CIOs don’t know the full extent of software deployed on their systems or if that software is legitimate.” Unauthorised software presents issues not only in terms of potential embedded malware, but also because patching of such software can be blocked by vendors or poorly applied by IT administrators.
Such vulnerabilities are chronic problems and, although a recent Flexera Software audit found that they're becoming less serious over time, they still perpetuate often-critical vulnerabilities in enterprise-IT environments – paving the way for serious data breaches from both internal and outside actors. “I couldn't think of a better case study for patching and updating vulnerable systems” than the recent 'Panama Papers' breach, LogicNow security lead Ian Trump recently told CSO Australia. “The reality is that you may have spent 20 to 25 years of your life building the business, and it could all disappear if the basics aren't being done.”
The rate of unlicensed software use in Australia – where the BSA estimated 20 percent of software is unlicensed, compared with 18 percent in New Zealand and Japan, and 17 percent in the United States – is far better than in most countries: the Asia-Pacific average, for example, is 61 percent and rates in China (70 percent), Indonesia (84 percent) and Pakistan (84 percent) reflected significantly larger problems.
Yet the figures highlight an ongoing disconnect between mooted recognition of the need for cybersecurity controls and broader cost-saving measures that often lead businesses, particularly small and medium enterprises, to install pirated software – often purchased from online sources or at local markets. BSA's analysis also highlighted the ongoing lack of control over adoption of commercial cloud services, with 58 percent of users admitting they shared credentials for such services – and more than 1 in 10 shared credentials with people outside their organisation.
Despite this, 42 percent of respondents said their employees had informal policies about sharing of login credentials, or had no policy at all.