In its ongoing quest to warn Canadians of the perils and costs of using unlicensed software, the Business Software Alliance (BSA) has released a report that tries to prove a link between the usage of unlicensed software and a user’s vulnerability to malware.
Operated and funded by major software vendors, such as Microsoft, Symantec, and Adobe, BSA has a mandate to fight software piracy, promote the use of licensed software and work with whistleblowers to bring non-compliant businesses into license compliance. It regularly sponsors studies that claim to show the cost of unlicensed software to the economy and the dangers it can pose to businesses and consumers.
Its latest offering is a report by research firm IDC that tries to identify a link between using unlicensed software and encountering more malware, potentially putting the organization at greater risk to cybercriminal activity. The message? Lower your malware risk by using licensed software.
“Malware infections can cause significant harm, and Canadian businesses are struggling with how best to protect themselves,” said Jodie Kelley, senior vice-president and general counsel at BSA, in a statement. “This analysis shows that the link between unlicensed software use and malware is real, meaning good software management is a critical first step to reducing cybersecurity risks.”
Just how real is it though? According to the IDC report, there is a clear correlation between the rate of unlicensed software in and the malware encounter rate; the two levels rise nearly in unison. For example, Canada’s unlicensed software level was 25 per cent and its malware encounter rate was 13 per cent; Morocco on the high end has an unlicensed software rate of 66 per cent and a malware encounter rate of 34 per cent.
Of course, as the report authors admit, correlation does not equal causation – post hoc ergo propter hoc almost never applies. Still, IDC feels “there is causal evidence” (emphasis theirs) that supports the hypothesis.
“This statistical analysis and evidence from the field point to a clear link between unlicensed software and cybersecurity threats. Not all cybersecurity threats come from malware, and not all malware comes from unlicensed software. But it is abundantly clear that some malware does come from unlicensed software — and most malware constitutes a cybersecurity threat,” concludes the IDC report.
Some threat perhaps, although just how much remains unclear. And left unexamined in the report appears to be the behavioural aspect: is using unlicensed software really the issue, or is it about behaviour? It’s possible someone who would use an unlicensed copy of Windows, for example, might engage in other potentially risky behaviour – say, not bothering with endpoint security software – that increases their vulnerability to malware.
So does using unlicensed software put you more at risk, or do people that use unlicensed software just engage in more risky behaviour regardless of whether or not their software is licensed? Perhaps that will be the next report.