Australians pirating software less but users more aware of malware risk than CIOs

Unlicensed software, cloud credential sharing threaten security

Software piracy rates are down across the board and Australian businesses have the world's fourth-lowest rate of software piracy, but the Business Software Alliance (BSA) is raising the spectre of malware-laden pirated software to push levels of unlicensed software use down even further.

“Enterprises first need to understand what has been deployed in their own networks,” the firm's latest Global Software Survey warned in citing an earlier IDC study that found a strong correlation between unlicensed software use and malware infection.

“The link between the use of illegitimate or otherwise unlicensed software and encountering malware is extremely strong.” With an estimated 39 percent of installed software not properly licensed in 2015 – a decline from 43 percent in the previous year – the BSA warned that fully 1 in 4 organisations in governance-sensitive industries like banking, insurance and securities were using unlicensed software. Interestingly, the figures suggested that CIOs were less aware of the threats posed by unlicensed commercial software – which is often used by malware authors as a lure to entice cost-sensitive businesses to install their code – than end-users and consumers.

Some 49 percent of CIOs polled for the survey identified security threats from malware as a major threat posed by unlicensed software – yet fully 60 percent of consumers and workers said the security risk from installing such software was “a critical reason” not to use unlicensed software. Similarly, CIOs underestimated the amount of unknown software that users were installing on company computers – with CIOs estimating that 15 percent of users did so but 26 percent of users saying they did so.

Of those admitting to installing outside software on work computers, 84 percent said they had installed two or more unauthorised programs. “As the report underscores, it is critically important for a company to be aware of what software is on the company network,” said BSA |The Software Alliance president and CEO Victoria A. Espinel in a statement. “Many CIOs don’t know the full extent of software deployed on their systems or if that software is legitimate.” Unauthorised software presents issues not only in terms of potential embedded malware, but also because patching of such software can be blocked by vendors or poorly applied by IT administrators.

Such vulnerabilities are chronic problems and, although a recent Flexera Software audit found that they're becoming less serious over time, they still perpetuate often-critical vulnerabilities in enterprise-IT environments – paving the way for serious data breaches from both internal and outside actors. “I couldn't think of a better case study for patching and updating vulnerable systems” than the recent 'Panama Papers' breach, LogicNow security lead Ian Trump recently told CSO Australia. “The reality is that you may have spent 20 to 25 years of your life building the business, and it could all disappear if the basics aren't being done.”

The rate of unlicensed software use in Australia – where the BSA estimated 20 percent of software is unlicensed, compared with 18 percent in New Zealand and Japan, and 17 percent in the United States – is far better than in most countries: the Asia-Pacific average, for example, is 61 percent and rates in China (70 percent), Indonesia (84 percent) and Pakistan (84 percent) reflected significantly larger problems.

Yet the figures highlight an ongoing disconnect between mooted recognition of the need for cybersecurity controls and broader cost-saving measures that often lead businesses, particularly small and medium enterprises, to install pirated software – often purchased from online sources or at local markets. BSA's analysis also highlighted the ongoing lack of control over adoption of commercial cloud services, with 58 percent of users admitting they shared credentials for such services – and more than 1 in 10 shared credentials with people outside their organisation.

Despite this, 42 percent of respondents said their employees had informal policies about sharing of login credentials, or had no policy at all.

Join the CSO newsletter!

Error: Please check your email address.

Tags security threatsIDC StudyBSAunlicensedcommercial softwarecloud credentialmalwaresoftware piracy

More about BSABusiness Software AllianceCSOFlexeraLogicNow

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place