Recent evidence of the new BlueKeep Windows vulnerability is an excellent and scary example of the need for enterprises to have thorough, accurate and current visibility into all the devices in use by their employees and contractors.Here’s a scenario that could happen: Joe Smith decides to work at home one night and rather than bringing home the most recent corporate-issued device, he uses an older corporate device with an earlier version of Windows – a device he was issued a few years earlier and ‘forgot’ to return. As it turns out BlueKeep is designed to exploit this version of Windows and does. Joe then sends an email into the corporate network. Another employee opens the email without paying close attention and BlueKeep has now made its way into the enterprise.This type of scenario,
unfortunately, is more common than one would think. Of all the assets at play
in an enterprise – hardware or software – an estimated 30%[1]
are considered ‘ghost’ assets. They are neither accounted for in any systematic
way, nor have they been vetted for potential security risks. Joe’s old device
is a perfect example of an asset that has gone into the Bermuda Triangle of
unmanaged and unsecured assets.
While enterprises focus on the
latest vulnerabilities like BlueKeep, the statistics reveal the day-to-day
management of assets falls short of the level of visibility needed to thwart
continued threats, whether it be ransomware, fileless malware, or denial of
service attacks. Here are a few enterprise statistics:
25%
still rely on Excel spreadsheets to track assets[2]
56%
verify asset location only once a year, while 10-15% verify only every five
years[3]
Staff
spends 10+ hours weekly to resolve data accuracy issues[4]
Nearly
66% of IT managers have an incomplete record of their IT assets[5]
Safe to say, these statistics do
not add up to optimal, best practices in asset management, or full support of
an enterprises’ threat prevention and security programs.Strengthening
Security through Asset ManagementEnterprises can take steps now
to better identify all assets at play, to free themselves from antiquated,
inefficient methods like spreadsheets and enforce access control policies that
protect against vulnerabilities and threats.The Center for Internet Security
(CIS) lists inventory and control of hardware and software assets as the top
two recommended basic controls. Automated, centralized IT asset management can
fulfill these recommendations by discovering rogue devices in use, either
purchased as ‘shadow IT,’ or old devices unprotected by enterprise security
software. This is essential to preventing a data breach or unwanted entry by a
threat.Consider these critical practices
for better IT asset management:Taking
Inventory. If
the typical enterprise has as much as 30% of its assets categorized as ‘ghost’
devices, that means an organization is enabling almost one-third of its assets
to contribute to costly risk. This is caused by the lack of a centralized,
focused discovery tool in place. An estimated 50% of organizations have more
than a dozen discovery tools, contributing to the chaos and creating
unnecessary staff time to try to make sense of asset inventory. Instead,
organizations can use technology capable of normalizing and reconciling data
sets, providing a single point of truth and ensuring accuracy.Getting Control. Employee onboarding and
offboarding are ripe opportunities for expensive asset waste. Unless an
enterprise has a modern IT asset management system in place, assets assigned to
a new employee may not be properly recorded or tracked. Conversely, when an
employee leaves, lack of stringent asset monitoring means devices – loaded with
proprietary software – may never be returned. This can be solved by:
Integration
of IT service management (ITSM) and asset management. enterprises can ensure, when a
help desk ticket is issued for a new employee, all assets assigned to that
employee are now recorded and, if an employee’s role changes, or they leave, the
asset record is updated This allows the asset to be more easily recovered for
future service.
Lifecycle tracking. Effective asset management is
helping IT control use of software and hardware assets throughout an asset’s
deployment. To provide employees with software patching updates, or new
versions of a program, is virtually impossible to execute via a spreadsheet. To
promote employee productivity, and avoid risk, an asset management solution can
accurately record that patching has been carried out on all relevant assets.
Managing
Licenses. Poor
tracking and management of assets can be a sinkhole of wasted expenditures. Without
an up-to-date accurate inventory, enterprises will overspend on assets. A
centralized IT asset management system should be able to give accurate
visibility into whether aging assets need to be retired. In some cases, asset
costs can far exceed their ROI, or their depreciation value. Additionally, this
complete knowledge enables enterprises to effectively plan and budget for new
assets.Optimizing software licenses is also
a major benefit of a modern IT asset management system.Audits are a driver here: it’s
not a question of if an enterprise
will be audited, but when. Software
not purchased, maintained, or licensed correctly places organizations at risk
of non-compliance. An advanced asset management system should be able to help
an enterprise negotiate more favorable licensing deals, eliminate over-buying
of licenses, minimize rogue purchases, and avoid fines associated with failed audits.Automation is the KeyEmployees today are working remotely, using mobile devices on
the road and occasionally using a device not vetted in any way by network
security. That means devices have vulnerable software that hasn’t been patched
and assets that will fail the compliance scrutiny of an audit.There is a fix. By integrating asset management and IT service
management, IT has the foundation it needs to secure data and prevent a breach
while managing the entire lifecycle of an asset, from onboarding through
reclamation.Managing assets in an efficient manner is the key to enterprise
digital success. Technology trends like the Internet of Things device growth
and cloud-based workloads are making more complex to discover all the tools an
enterprise is using day-to-day. Thorough IT asset management is the place to
start when bringing this complexity under control.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
