Recent evidence of the new BlueKeep Windows vulnerability is an excellent and scary example of the need for enterprises to have thorough, accurate and current visibility into all the devices in use by their employees and contractors.
Here’s a scenario that could happen: Joe Smith decides to work at home one night and rather than bringing home the most recent corporate-issued device, he uses an older corporate device with an earlier version of Windows – a device he was issued a few years earlier and ‘forgot’ to return. As it turns out BlueKeep is designed to exploit this version of Windows and does. Joe then sends an email into the corporate network. Another employee opens the email without paying close attention and BlueKeep has now made its way into the enterprise.
This type of scenario, unfortunately, is more common than one would think. Of all the assets at play in an enterprise – hardware or software – an estimated 30%[1] are considered ‘ghost’ assets. They are neither accounted for in any systematic way, nor have they been vetted for potential security risks. Joe’s old device is a perfect example of an asset that has gone into the Bermuda Triangle of unmanaged and unsecured assets.
While enterprises focus on the latest vulnerabilities like BlueKeep, the statistics reveal the day-to-day management of assets falls short of the level of visibility needed to thwart continued threats, whether it be ransomware, fileless malware, or denial of service attacks. Here are a few enterprise statistics:
Safe to say, these statistics do not add up to optimal, best practices in asset management, or full support of an enterprises’ threat prevention and security programs.
Strengthening Security through Asset Management
Enterprises can take steps now to better identify all assets at play, to free themselves from antiquated, inefficient methods like spreadsheets and enforce access control policies that protect against vulnerabilities and threats.
The Center for Internet Security (CIS) lists inventory and control of hardware and software assets as the top two recommended basic controls. Automated, centralized IT asset management can fulfill these recommendations by discovering rogue devices in use, either purchased as ‘shadow IT,’ or old devices unprotected by enterprise security software. This is essential to preventing a data breach or unwanted entry by a threat.
Consider these critical practices for better IT asset management:
Taking Inventory. If the typical enterprise has as much as 30% of its assets categorized as ‘ghost’ devices, that means an organization is enabling almost one-third of its assets to contribute to costly risk. This is caused by the lack of a centralized, focused discovery tool in place. An estimated 50% of organizations have more than a dozen discovery tools, contributing to the chaos and creating unnecessary staff time to try to make sense of asset inventory. Instead, organizations can use technology capable of normalizing and reconciling data sets, providing a single point of truth and ensuring accuracy.
Getting Control. Employee onboarding and offboarding are ripe opportunities for expensive asset waste. Unless an enterprise has a modern IT asset management system in place, assets assigned to a new employee may not be properly recorded or tracked. Conversely, when an employee leaves, lack of stringent asset monitoring means devices – loaded with proprietary software – may never be returned. This can be solved by:
- Integration of IT service management (ITSM) and asset management. enterprises can ensure, when a help desk ticket is issued for a new employee, all assets assigned to that employee are now recorded and, if an employee’s role changes, or they leave, the asset record is updated This allows the asset to be more easily recovered for future service.
- Lifecycle tracking. Effective asset management is helping IT control use of software and hardware assets throughout an asset’s deployment. To provide employees with software patching updates, or new versions of a program, is virtually impossible to execute via a spreadsheet. To promote employee productivity, and avoid risk, an asset management solution can accurately record that patching has been carried out on all relevant assets.
Managing Licenses. Poor tracking and management of assets can be a sinkhole of wasted expenditures. Without an up-to-date accurate inventory, enterprises will overspend on assets. A centralized IT asset management system should be able to give accurate visibility into whether aging assets need to be retired. In some cases, asset costs can far exceed their ROI, or their depreciation value. Additionally, this complete knowledge enables enterprises to effectively plan and budget for new assets.
Optimizing software licenses is also a major benefit of a modern IT asset management system.
Audits are a driver here: it’s not a question of if an enterprise will be audited, but when. Software not purchased, maintained, or licensed correctly places organizations at risk of non-compliance. An advanced asset management system should be able to help an enterprise negotiate more favorable licensing deals, eliminate over-buying of licenses, minimize rogue purchases, and avoid fines associated with failed audits.
Automation is the Key
Employees today are working remotely, using mobile devices on the road and occasionally using a device not vetted in any way by network security. That means devices have vulnerable software that hasn’t been patched and assets that will fail the compliance scrutiny of an audit.
There is a fix. By integrating asset management and IT service management, IT has the foundation it needs to secure data and prevent a breach while managing the entire lifecycle of an asset, from onboarding through reclamation.
Managing assets in an efficient manner is the key to enterprise
digital success. Technology trends like the Internet of Things device growth
and cloud-based workloads are making more complex to discover all the tools an
enterprise is using day-to-day. Thorough IT asset management is the place to
start when bringing this complexity under control.
[1] M. Day and S. Talbot, "Data Validation the Best Practice for Data Quality in Fixed Asset Management," (White Paper) Asset Management Resources
[2] Enterprise Management Associates, “Optimizing IT for Financial Performance”
[3] EY, “Navigating through the complexities of the fixed asset management function”
[4] Enterprise Management Associates, “Optimizing IT for Financial Performance”
[5] Computer Weekly, “Embarking on a voyage of asset discovery”