By Brian White, Senior SAM Consultant, Softcat. Source: Softcat.com
Approximately 90% of people leave organisations with secure log-ins to portals that are never closed down.
That’s a scary figure when you really stop to think about it, and is one of many potential security risks not properly accounted for and the consequence of non-existent or insufficient asset management processes. We’ll be exploring the way in which organisations are thinking differently about securing their assets in a series of blogs and videos due for release over the next few months, so keep your eyes peeled for our next instalment.
Given the growth in the quantity of devices and availability of data, many organisations cannot state how many assets they have and where those devices are, or even who they belong to. When you consider how imperative this is to ensuring valuable data doesn’t go astray and remains secure, it compounds the challenge organisations face.
The difficulty in obtaining this information is because it’s frequently siloed, even in industries where the secure management of data is everything. Without a unified view of your assets, you won’t know which devices you have, whether they’re on or off-premise and in what quantities, what systems they have permission to access or indeed the software licensing obligations you’re subject to as a result. Add to this picture other factors like how a startling 10 million devices are lost or stolen each year, and how without proper intelligence a device with accessible company data could be missing for months before the loss is even noticed. Suffice to say, it gets complicated quickly, opening up a host of security vulnerabilities that silently go under the radar.
We’re often asked what good practice looks like in the world of asset management to help mitigate against these risks. Whilst every organisation is different there are definitely considerations that apply to everyone. Here’s our top three:
1. Properly deal with joiners and leavers
It’s an obvious one, but it’s surprising how few companies have policies governing how users joining the organisation are granted IT assets and access privileges or how these assets are returned and privileges revoked upon exit. Without serious consideration and collaboration with other company departments like HR, significant security gaps will open up leaving the organisation vulnerable. Dealing with this starts at the service desk, and is not solely an ‘IT responsibility’. The service desk needs a standardised process ready, wherein a member of HR reports the staffing changes to a central system, which then automatically triggers a series of tasks. Most asset management tools now have the functionality to consolidate much of the leg work that sits behind these processes in terms of alerting teams and opening or closing down privileges, but strong procedures need to be agreed first.
2. Manage non-company owned devices
New phenomena such as bring-your-own-device (BYOD) and the proliferation of various personal devices on company networks make tracking who has access to your corporate network ever more challenging, especially when the company doesn’t own the device. Increasingly, these devices are accessing and retaining corporate data and if you can’t see or identify it you have no hope of controlling it.
3. Don’t forget cloud-based applications
Whilst not an asset in a physical sense, regulating the use of non-standard cloud applications such as Dropbox or less regulated, similar cloud storage is critical. These consumer-grade applications are attractive when corporate tools aren’t up to the job, but allowing company data into these systems presents massive security flaws and potentially compromises privacy because of the Ts & Cs which you can be bound to on behalf of the company when clicking “I agree”. With strong asset management tools and processes in place you can implement policies that restrict the use of cloud-based applications and better protect your organisation’s data. Equally, having measures in place that record user attempts to access such services is a good indication there is a genuine need for such services and therefore more secure solutions can be implemented as an alternative.
We’ve all read the horror stories of people leaving devices on trains or sensitive data making it into the public domain because of staff negligence. Protecting yourself against this and many other potential security vulnerabilities starts with robust asset management and sound intelligence on what devices you have accessing your systems. Only with this information reportable, centralised and at your disposal at the centre of a mature process can you begin to plug the potential gaps in your security posture.
Find out more
To see how Softcat can help you with securing your organisation through good asset management get in touch with Softcat here.