What does the Kaspersky ban mean for businesses?

The Kaspersky logo on a stand at Mobile World Congress 2023, shot from below. It is grey text against a green border, set on a dark background,
(Image credit: Getty Images)

On June 20, the US announced a ban on Russia-headquartered firm Kaspersky Lab, prohibiting the firm from selling its software in the country. Kaspersky can continue certain operational activities in the US until September 29 and after that, it is not allowed to provide updates to software already in use, forcing its customers to find alternative solutions.

The US Bureau of Industry and Security (BIS) cites multiple reasons for the ban, including the fact Kaspersky is subject to the jurisdiction of the Russian government and must comply with requests for information – which it says could put organizations at risk.

Due to the nature of its business, the US argues Kaspersky has the opportunity to install malware and withhold critical updates, leaving US citizens and critical infrastructure vulnerable to attacks and exploitation.

“The Russian Government has proven that it has the capability and intent to exploit Russian companies like Kaspersky to collect sensitive US personal information and compromise the systems and networks that use these products,” says Elizabeth Cannon, executive director of the Office of Information and Communications Technology and Services.

Headquartered in Moscow, Kaspersky has branches in 30 countries across the globe. The firm denies being engaged in activities that could threaten national security and says it continues to make contributions to the cyber security industry.

So why has the firm been banned in the US, what are the implications, and what will businesses who rely on Kaspersky deal with as a result?

Why the Kaspersky ban isn’t a surprise

The Kaspersky ban has been in the making for some time. Despite the firm’s protests, this move shouldn’t raise anybody’s eyebrows, says Jeff Watkins, chief product and technology officer at CreateFuture.

“Many Russian organizations have faced sanctions or bans over the last couple of years,” Watkins tells ITPro. “Some large organizations have already opted out of using Kaspersky solutions in fear it could become an attack vector and lead to a breach and loss of data.”

The US ban is part of increasing US sanctions on companies with links to Russia due to the war in Ukraine, says Philip Ingram, a former colonel in British military intelligence. He adds the US government is also concerned about Kaspersky’s obligation to abide by Russian law requiring companies to cooperate with the government.

“US regulators say that means its software could be exploited to identify sensitive data of citizens in the country and make it available to Russian government actors,” Ingram says. “There seems to be an increasing realization that software – and hardware – coming from Russia and China in particular, gives their intelligence services a potential advantage and quantifying the risk is difficult, so banning their use is easier.”

The politics are real and so are the theoretical concerns over using a Russian company to provide cyber security services, says Ian Thornton-Trump, CISO at Cyjax. “The data obtained by a firm can end up in the intelligence services of a nation state. That has always been a risk.”

It is easy to see why the US government is concerned, since security software is incredibly important for the operations of an organization, points out Sean Wright, head of application security at Featurespace. “It could potentially give a government great access to organizations, including some really sensitive information and data.”

How the Kaspersky ban could harm enterprises

In a statement given to ITPro, Kaspersky denied the allegations and suggested that politics might instead be behind the ban. Kaspersky also points out that the decision does not affect the company’s ability to sell and promote cyber threat intelligence offerings and training in the US.

In fact, Kaspersky assets the measures will harm enterprises in the long term. The primary impact of these measures will be “the benefit they provide to cybercrime”, the firm says. “International cooperation between cyber security experts is crucial in the fight against malware, and yet this will restrict those efforts.”

At the same time, the company points out that the move could drive organizations to use inferior security protection products that don’t work as well, putting them at risk.

Many firms still use Kaspersky’s solutions. According to analysis from Bitsight TRACE, nearly 25% of Fortune 1000 companies appear to be leveraging Kaspersky products. This includes “dozens of government organizations and multiple US federal agencies”, says Tim Grieveson, senior vice president and global cyber risk advisor at Bitsight.

The customer impact of the Kaspersky ban

It is true the ban will have an immediate impact on thousands of US-based customers, says Grieveson. “US customers will need to transition to another antivirus solution, which can be complex, costly, and disruptive to operations, particularly for larger organizations.”

Ingram concedes the ban will have a direct impact on those customers, but he adds that “there is plenty of competition in the wings ready to move in”.

However, he thinks the move away from Kaspersky highlights the importance of firms in any country doing due diligence on suppliers. “Businesses need to wake up to the geopolitical implications of their buying decisions and understand how that can translate into actual and reputational risk. This isn’t just Kaspersky focused; it will relate to everything from Russia as well as China, Iran, and North Korea.”

Taking this into account, although it may be “a bit of a pain” to replace Kaspersky, it “won’t be the end of the world”, says Paul Lewis, CISO at Nominet. “Of course, it will take time and effort from technical teams. But if the change to a new vendor is rolled out effectively, employees shouldn’t notice the difference or be impacted too much.”

RELATED WHITEPAPER

Even so, replacing a critical security product such as Kaspersky could lead to gaps in coverage, Grieveson warns. He advises firms to also be aware of what their third-party vendors and suppliers are doing to further reduce risk.

“Security leaders should understand which of their critical third-party vendors or suppliers are leveraging Kaspersky products,” he advises. “Knowing that a critical vendor has a plan to effectively transition from Kaspersky to another product will provide important assurance.”

Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.