With all the recent news regarding the Russian based antivirus company Kaspersky Labs should you be worried about what antivirus software you are using? The short answer is probably no, the article and subsequent statement that has come from the National Cyber Security Centre (NCSC) about this clearly state “Whatever you do, don’t panic. For example, we really don’t want people doing things like ripping out Kaspersky software at large, as it makes little sense.”
What was the story?
The story is quite simple, the NSCC advised that all the while Russia remained a cyber threat to the UK or its allies the UK government should not be using a Russian based antivirus software where potentially compromised data could be read or potentially uploaded (legally and correctly) to Russian servers for further analysis. There is no suggestion now that Kaspersky Labs are in fact making any of this data available to anyone outside of its own organisation. This was followed by the news that Barclays has decided to stop promoting and recommending Kaspersky labs as an antivirus provider to its customers, a move that has been described as “disappointing” by Kaspersky. This all follows on from a recent unproven accusation that a US-based NSA contractor took home confidential files that ended up in the hands of Russian hackers. This probably tells us as much about the security knowledge the NSA worker had as it does any software he was running on his laptop.
Can we trust Kaspersky?
This is far more complex a question than a simple yes or no answer. The NCSC has clearly stated that it is not advising members of the public to stop using Kaspersky at all. There is no reason to believe that it is doing anything wrong or that the software is not doing exactly as it should be. Understanding that the device you’re reading this blog post on is likely made up of parts and components from all over the world some of which collect and report data. In fact, if you knew the number of times your mobile phone shared your location with 3rd party applications you would be significantly concerned. The truth is there is far more risk of a breach from areas like:
- Not keeping software up to date
- Poor network configuration management
- Poor credential management
The advice from the NCSC is exactly this before worrying too much about what country your software or hardware originates from understanding that nearly all breaches, in fact, are the result of the above points not from rouge suppliers.
How GDPR plays its part in all this
This starts way before GDPR was grabbing headlines when EU-US Safe Harbour data sharing agreement collapsed in 2015. This was due to reports that NSA had access to the EU citizens data that was being collected by the US giants Facebook, Google and Apple. This led to the 2016 replacement called EU-US Privacy Shield which has continued to draw criticism about its effectiveness. This is going to be tested even further in 2018 as the GDPR kicks in from May 25th and it clearly states that personal data needs to be stored and processed in the EU and if outside of the EU it must have adequate protection of all personal data. This is after there have only been around 1000 US companies sign up for the new Privacy Shield agreement when there were closer to 5000 previously when Safe Harbour was in place.
What can you do about understanding if you have the right technology and systems in place to be compliant?
We run two different sessions on GDPR and Cyber Essentials depending on where you are on your GDPR journey. For those who are just starting out and want to know what is GDPR and how it will affect you we recommend starting with our Free Lunch and Learn sessions that we run monthly. You can find the dates and book on here (insert link). If you are a little further down the line we would suggest you check out our one-day workshops that are run by our very own Dan Cook who is certified GDPR Practitioner. Again, these are running every month and this will go into far more detail about what you will need to know and put into place to be compliant with GDPR and have the Cyber Essentials certification in place. Summary While there will always be stories about international espionage and data leaks for some time yet, as a small business owner reading these headlines and ditching all foreign software is not the answer. Your best bet is to work with your Managed Service provider who will make this decision for you and ensure you have the best security software in place. For example, our fixed price IT support includes antivirus software and web content filtering as part of the service as these items are essential to securing and protecting your staff and data.