This is and has always been complete and utter bullshit. Take Microsoft's Volume Licencing, MS will check every so often (typically 3-5 years) if you're complying to your subscription and will rely for the most part on self-verification. If you're licensed for say 250 users and you find yourself having 300 users at some point you will have 50 "pirated" copies of Windows, Office, etc running. But these will all still be updated, patched and supported as part of your volume licence. Once you do a true-up on you agreement you'll pay for 300 users. Problem solved.
Plenty of enterprise software these days work on a subscription, always-on, cloud based licencing or some other method of verification to ensure legitimacy. Red Hat as an example you pay to ensure that you can download updates from the Red Hat repository, you stop paying and you're unable to download updates from the official repository and you lose support. The Operating System is still operational, it's not compromising your security in any way.
To attack their "key" findings directly :
- Cyberattacks cost businesses more than $400b in 2015 : Yeah, sure and most of those could have been prevented if basic security practices were employed (properly configured firewalls, Anti-virus, anti-malware, IDS/IPS systems, etc etc) How many of these cyberattacks were breaches by external parties hacking their way in and how many were due to "check out this cute bunny" emails or just plain social engineering?
- A strong connection exists between cyberattacks and the use of illegitimate or unlicenced software : Yes, and the Divorce rate in Maine correlates with Per capita consumption of margarine. You can get correlation between many factors if you dig deep enough. Using cracked software that's infected with malware will compromise your security, but then again, where is your anti-virus, etc etc.
- Too many CIOs are not controlling their networks, bla bla bla : The tools exist, some cost money. Executives want bonuses, so why spend money on software that will tell you to spend more money on more software? Also, have you ever taken away a users rights to install software? What about disabling mass storage devices attached to USB ports? Disable google drive, dropbox, etc?
- "Admitted installing outside software on work computers" : Yes, outside software like Chrome, Firefox, 7zip, etc is the problem. </Sarcasm>
- Mobile devices and policies : Seriously? You get MDM software, most companies won't pay for that shit and just let people connect any crap to their WiFi network. Execs wants bonuses, software costs money, denied. Exec has wants his daughters iPad to connect to corporate WiFi, is allowed because he is an exec.
</Rant> The problem is not cyberattacks, it's not unauthorized software, it's not poor or missing policies (for the most part). The issue is that most executives or business owners really don't care. They want something to work while spending the least amount of money possible. Sometimes this will mean skirting the law and pirating software, other times it will mean turning a blind eye to someone pirating software as long as the job gets done.