Virtually every business has an IT asset of some kind. From the smallest “mom and pop” grocery store to the biggest multinational conglomerates, you will find all types of digital devices, cloud-based tools, on-prem software, and more. In short, information technology has become an inseparable part of life for businesses of all sizes.
However, another common theme for many businesses (even very large and successful ones) is the complete lack of an IT asset management strategy. What is IT asset management? How does managing IT assets help companies protect themselves? Why should your own company care about IT asset management?
What is IT Asset Management?
IT asset management (or ITAM) is how organizations account for, process, maintain, and deploy all of the IT devices in their organization. ITAM is a critical part of any cybersecurity plan, as it’s important to know what assets are present on a network before you create your security plan.
Some companies have highly-developed IT asset management plans that carefully log each device or software solution that is introduced to the network and monitor them throughout their full life cycle. Others have barebones or completely lacking IT asset management policies and procedures.
Why Should I Care about IT Asset Management?
You might be wondering why it’s important to keep track of all the IT assets your company uses. Having this inventory of your available resources is crucial for creating an accurate network map that you can use in your cybersecurity strategy.
In cybersecurity circles, there’s a specific type of cybersecurity risk called “shadow IT.” This is, to put it basically, the use of IT assets that are not accounted for in the company’s overall cybersecurity plan. This is considered a risk because unknown IT assets on the network could have vulnerabilities that expose your company to data breaches and other cyber threats.
IT Asset Management Example #1: The Eatery’s Outdated OS
CSO Online highlighted a potential issue with an anecdotal story. To paraphrase it, a deli had a point of sale terminal that stopped working one day, and the story’s writer (Robert C. Covington, a CIO and founder of togoCIO.com) saw that it was running the Windows XP operating system (OS)—an OS that Microsoft had long since stopped supporting and providing security patches for.
Why was this a problem? Because, with security patches that were years out of date, the terminal could easily be cracked by a hacker and used to steal all kinds of data—including customers’ credit card information. This would have opened the doors for a major scandal had the outdated OS not been caught and replaced in time.
Thankfully, however, the issue was caught, and the deli made a quick fix to their IT asset management strategy to replace the outdated system with some newer (and more secure) technology.
IT Asset Management Example #2: Breaking the Bank with an IT Asset Oversight
This older story about JPMorgan Chase bank (now known as Chase) dates back to 2014, but it’s an excellent example of how overlooking IT assets in your system can lead to a data breach. According to a story reported by The New York Times:
“Most big banks use a double authentication scheme, known as two-factor authentication, which requires a second one-time password to gain access to a protected system. But JPMorgan’s security team had apparently neglected to upgrade one of its network servers with the dual password scheme… That left the bank vulnerable to intrusion.”
The bank had acquired numerous legacy systems through various mergers with other banks—such as their acquisition of Washington Mutual. Despite spending hundreds of millions of dollars on cybersecurity, the bank’s network map was apparently incomplete, as this one set of servers was not accounted for in the company’s IT asset management strategy.
Using login credentials stolen from a JPMorgan Chase employee, hackers were able to break into the bank’s systems. From there, they were able to steal some customers’ contact information and some other data. This attack would have been stopped in its tracks had the two-factor authentication solution been present on the servers used for the hack. However, this one unaccounted-for server gave the attackers an easy way in.
The lesson from these two tales? Information security requires having a complete set of information about your network!
What Can You Do to Improve Your IT Asset Management?
The first thing you should do, especially if you haven’t done it in a while (or have never done it before), is to take a thorough audit of all the IT assets on your network. What resources do you use? Do employees bring in their own computing devices? What cloud-based services do you use? Having a complete network map is crucial for managing your IT assets.
Next, you should consider creating an IT asset disposition (ITAD) strategy for retiring obsolete assets that you won’t be able to use securely any more. Any hardware that you use should have its data storage media thoroughly wiped or physically shredded to ensure that hackers can’t get their hands on the data within.
Meanwhile, obsolete software that isn’t being supported with new security patches and updates should be replaced with newer solutions that can fill the same functions, if possible. Older software may have vulnerabilities that are well-known to cybercriminals, but don’t have a fix because the original developer has stopped releasing fixes for these security vulnerabilities. Having an IT asset disposition strategy can help minimize risks and keep your systems running at peak efficiency and safety.
Another thing you should do is establish a comprehensive changelog for your network infrastructure—a master document that lists all current IT assets and their statuses that you can review and share with your cybersecurity team. Having written documents of your network map and the ways in which you protect IT assets can be very beneficial for protecting your business (and for dealing with regulators later).
Need help with IT asset management and with protecting your business from cybercriminals? Contact ideaBOX and learn more about how you can keep your company cyber secure.