This week, we’ve seen some concerning developments that might suggest that the global battle on cyber threats may become a regionalised affair. This focuses on multiple media reports that within the United States, federal agencies are to be prohibited from using Kaspersky Lab antivirus software, amid claims that allege Russian secret services have some form of backdoor access using the software, allowing visibility to the content within and configuration of end-user devices. A number of US retailers have announced their intention to stop selling the antivirus software.
This matters prompts up to think about the effectiveness of the security controls that we may have implemented within our businesses. To most, simply having a recognised antivirus/malware protection tool in place is sufficient, and ensuring that our users are aware of the need to regularly update definition files and scan for new issue is about as far as we should need to go. But this new development should be prompting us to look at the “integrity” of our implemented security controls – can they be trusted to provide the protection that we expect?
Whilst, as far as we are aware, there is nothing to substantiate the claims about Kaspersky Lab in this era of “fake news”, specific high-risk or regulated sectors who may be concerned with state-sponsored interference or industrial espionage should be reminded of the importance of properly evaluating the vendors and partners who contribute to their security framework.
Within Annex A of the information security standard ISO27001:2013, control A.15.1.2 requires us to address security within supplier agreements, whilst A.15.1.3 notes that agreements with suppliers shall address the risks associated with information and communication technology services. For users of our InfoSaaS Assure risk management solution, a quick reference to the Statement of Applicability will identify which assets have these controls assigned. Even if you are not a US federal agency, or a user of Kaspersky Lab, it may be prudent to revisit and map out your current supply chain relationships to identify any other “known unknowns” that your senior management need to taking a risk-based view on.
The world is always changing, and we need to ensure that the protection we provide to the valuable data of our organisations, personnel and customers is keeping up.