Small Businesses should do a Risk Assessment on Kaspersky Software
Business is full of risk management opportunities. Every business has unique factors that may indicate a specific action. The recent announcement by Department of Homeland Security (DHS) acting secretary Elaine Duke about removal of Kaspersky cyber security software from all federal computers is impacting businesses and consumers. Businesses are asking themselves if they too should plan for the removal of Kaspersky products.
The Binding Operational Directive (BOD), issued by DHS, mandates that all federal departments and agencies:
· identify any use or presence of Kaspersky products on their information systems in the next 30 days,
· develop detailed plans to remove and discontinue present and future use of the products in the next 60 days, and
· begin to implement the agency plans to discontinue use and remove the products from information systems at 90 days.
Who is Kaspersky Lab?
Kaspersky Lab is a Russian-owned and operated global security company. It has the largest marketing share in Europe in the security industry and is the fourth larges anti-virus company globally. Its products include anti-virus, internet security, password management, Internet of Things security and other security products. Over 400 million customers use their products, according to the company.
The allegation is that strong ties exist between certain company officials and Russian spy operations.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” Duke said in a statement.
Some Background
According to various news sources, there have been suspicions for some years about links between Kaspersky and Russian spy operations.
In May, 2017, during a Senate intelligence committee hearing, 6 key U.S. officials stated they would not be comfortable with Kaspersky software on their computers. Respondents included then-acting FBI Director Andrew McCabe, CIA Director Mike Pompeo, National Intelligence Director Dan Coats, National Security Agency Director Adm. Mike Rogers, National Geospatial-Intelligence Agency Director Robert Cardillo and Defense Intelligence Agency Director Lt. Gen. Vincent Stewart.
It has been reported that the FBI has met in recent months with a number of companies in the infrastructure and technology fields to discuss concerns about using Kaspersky software.
In early July, the General Services Administration removing Kaspersky from an approved-vendors list.
A number of well-respected cyber security experts believe that Kaspersky software is safe and there are no ties to Russian spy operations. They say there is no evidence of wrong-doing by Kaspersky Lab. Kaspersky is admired and liked by many of his international colleagues.
Kaspersky Lab CEO and founder Eugene Kaspersky has accepted an invitation to testify before the House Science, Space and Technology Committee on Sept. 27. He is reported to have repeatedly asked to speak to Congress.
What Can Your Business Do
If your business is using Kaspersky products, you should conduct a risk assessment based on your unique business factors. Something to consider might be whether you are selling or servicing any client that does business with Russia. If the risk concern has merit, would using Kaspersky products put you or your clients at risk?
Additionally, if you do business with any company that may be implementing more stringent cyber security measures, you might need to be highly cautious on the products you use.
Another consideration is if you have concerns, you might want to consider working with your clients to find alternative products for their networks, rather than using Kaspersky software.
As with any risk assessment, a key question is what is the risk of taking a specific action vs the risk of not doing a specific action.
Additional Information
For more information on this issue, here are some articles of interest:
· Show the proof, or cut it out with the Kaspersky Lab Russia rumors, SCO online newsletter
· FBI pushes private sector to cut ties with Kaspersky, Cyberscoop, online newsletter
· The Russian Company That Is a Danger to Our Security, New York Times editorial/opinion
· Kaspersky Lab Has Been Working With Russian Intelligence, Bloomberg BusinessWeek, online news
About the Author - Carolyn Schrader is a seasoned cybersecurity professional and founder of the Cyber Security Group Inc., providing corporate cybersecurity services to high profile clients.