Is the onus on your ISP to protect you from malware?
The Australian government is contemplating legislation that would require an Internet service provider (ISP) to protect users from malware. While ISPs should do more to prevent the spread of malware, ultimately businesses and individuals must assume responsibility.
Dan Tehan, Australia’s minister of cybersecurity is pushing for Telco’s and other ISPs to take responsibility for scrubbing the web of malware. “Just as we trust banks to hold our money, just as we trust doctors with our health, in a digital age we need to be able to trust telecommunications companies to protect our information from threats,” writes Tehan in the West Australian newspaper.
Tehan argues that smaller businesses generally don’t have the resources to recognize and stop malware. He wants service providers to step up and assume the major role in preventing web threats.
Who should be responsible?
The idea raises some interesting questions. Ultimately, whose job is it to keep malware from infecting our networks and devices, and what role should the government play? Should ISPs be held accountable for cyber infections? Or is it the responsibility of businesses and end users to protect their own systems?
These complex questions are not easily answered. However, since cybercriminals utilize multiple attack vectors, and not all involve an ISP, it would be virtually impossible for your Internet service provider to fully protect you from malware. It’s true that the majority of cyberattacks do flow over the Internet and through your ISP. But not all of them do. Some of the most damaging malware infections didn’t involve the organization’s ISP at all.
Other malware vectors
According to TheRegister, when a USB flash drive is found in the parking lot, half of all people will plug it into their computers within minutes. That’s a huge security risk for organizations. Stuxnet, arguably one of the most sophisticated pieces of malware ever created, spread initially via infected flash drives. Conficker, the worm that infected millions of PCs and turned them into a giant botnet, penetrated the French Navy and the city of Manchester England through infected USB drives.
But compromised USB devices are just one malware vector that doesn’t involve your ISP. Employees can bring infected watches, health and activity trackers, and other wearables into your organization. Laptops compromised outside the corporate network are a common malware vector, and infected smartphones are an increasing problem.
The bottom line
While we agree with Mr. Tehan that ISPs can do more to detect and prevent the spread of web-based threats, they can only monitor the malicious traffic that traverses their networks. They can’t help organizations stop malware that their employees physically carry in. Ultimately, businesses and individuals must bear the responsibility for their own network and device health.