Use Software Asset Management to reduce your cyber risks
Software asset management (SAM) is a holistic approach to managing your software throughout its lifecycle, from the moment your organisation decides to purchase a piece of software to the point where the software is obsolete or no longer used, at which point it needs to be removed from all computers and systems.
There are many benefits to implementing software asset management some of which are discussed here. Not the least of these benefits is reducing your cyber-security risks. Below are some ideas and actions for implementing software asset management that will significantly enhance your cyber-security.
Implement formal approval processes for all new software
One of the great things about the internet is the ease through which businesses and organisations can access and download software which benefits their business. However, software downloaded this way can be a significant source of malware, whether from deliberate malware infections included in the software application files, or from worms infecting the download web-site itself.
Tempting though it is to allow employees to pay for and download software as and when they need it, the decision regarding which software to allow on your computer systems is one which shouldn’t be left to just anyone – it’s too dangerous.
Put in place systems that enable employees to request the software they need. Have single points of contact for the purchase and download of software – people who are aware of the risks and can make an informed judgement on whether to allow the software into the organisation. The priority is to ensure suspicious software and web sites are identified BEFORE malware is accidentally downloaded.
Buy software from legitimate resellers to avoid malware
Another common source of malware is unlicensed software. Although software may look legitimate, it can come pre-infected with malware, and will not be eligible for the software patches and bug-fixes regularly produced by software publishers.
For example, within the last ten years, both the Conficker worm and the Citadel botnet posed most risk to users either downloading unlicensed software or using PCs which contained unlicensed versions of Microsoft Windows pre-infected with the malware.
These days the biggest risk is from employees purchasing illicit software on the internet using their credit cards. Have a policy that all software must be purchased by an authorised employee from a legitimate reseller. The software should be paid for either through a standard invoicing process or with a corporate credit card.
To reinforce your software procurement policies and further reduce the likelihood that employees purchase software and IT services using their own credit cards, have a policy – which is strictly enforced – that employees are NOT able to claim purchases of software or other IT services as a business expense.
Regularly audit your IT Assets
It is difficult to exert control over assets which you aren’t aware of! Although regular audits can be time consuming and costly, they are important to ensure you have a complete inventory of your hardware, software and cloud services. Your IT Asset Inventory needs to be compiled from two angles:
- What you own – that is hardware, software and cloud services you’ve paid for
- What you are using – bear in mind that as well as hardware, software and cloud services purchased and paid for by the business, you might find employees use private mobile devices used to access your systems, software that has been downloaded without being paid for and ‘shadow’ cloud services purchased with a private credit card; this all needs to be identified as part of the audit process
The pain of IT audits can be eased through the use of specialist IT asset management (ITAM) tools. Many commercial tools are on the market, and there are open source ones available too. Be aware that despite the claims of the ITAM tool vendors, one size does NOT fit all, and you may need to leverage other tools (for instance mobile device management tools) and vendor portals (eg for cloud services) to get a complete picture of your estate.
Patch and maintain your software and hardware
The complexity of software code means that software publishers are constantly finding bugs and vulnerabilities within even the best designed software. Some even employ ex-software hackers to constantly test and probe applications to find vulnerabilities, so they can be fixed before they cause problems for customers!
Ensuring you are protecting ALL your hardware and virtual servers with anti-virus software is also critical, as is implementing firewalls and other tools to keep malware and suspicious files out of your organisation – this becomes much easier when you have an accurate inventory of hardware, software, cloud services and mobile devices used within your business.
Keeping on top of patches and upgrades can be time consuming and resource intensive, but it is important to ensure your organisation stays safe. Knowing exactly what hardware and software is in your environment is a critical first step in implementing an effecting patch management process. The benefits of an IT Asset Management tool are not restricted to helping you audit your estate! It can also be used to identify un-patched or out of date software and ensure that anti-virus software is installed on every piece of equipment that requires it.
Minimise your digital surface area
Your digital surface area is a term used to cover the technology in your organisation that is connected to the outside world and which can make your organisation vulnerable to cyber-threats. As all businesses become technology companies, their digital surface area is expanding, and while that’s vital for business success in the 21st century, it is something which needs to be controlled tightly.
Just as vital as implementing controls over how software and cloud services are introduced into the organisation is identifying and removing old, unused or obsolete software.
Many software publishers only provide patches and bug fixes for their software for a limited period (usually 10 – 15 years) after which hackers have free reign to exploit vulnerabilities they identify in the software. This is one reason why the WannaCry worm was so devastating for some organisations but not for others – it targeted machines using an out of date operating system, so organisations with poor software management who had not updated their software were particularly vulnerable.
Using the data from your software audit you can identify not just obsolete hardware that can be disposed of, but also older software that may no longer be supported by software vendors. Work with employees who use the software and services to understand how they use the software and could they perhaps start using a more up-to-date alternative.
Deleting old or unused software reduces the expense and resources required to patch and maintain older software, as well as reducing your overall cyber-risk.
Your cyber-security checklist
Belowa are the top 10 software asset management actions you can take to minimise your organisation’s cyber risks. Implement most or all of these actions and you’ll have gone a long way to defending your organisation against cyber-threats.
- Get the buy-in of top management your organisation for software asset management – being clear about the benefits for cyber-security will help justify the resources required
- Have clear roles and responsibilities; while one person should be accountable for cyber-security, ALL employees and IT staff need to be clear on their obligations when it comes to keeping the organisation safe
- Develop written policies that cover the procurement, maintenance and decommissioning of software and cloud services
- Have a specific ‘acceptable use’ policy for non-IT employees so they are clear about their responsibilities for looking after IT equipment, requesting software and cloud services and how they should use IT systems and services such as email and the internet
- Don’t give employees administrator rights on their IT equipment; this will limit their ability to download and install unlicensed or privately purchased software
- Only procure software from legitimate sources – these should be certified by the software publisher, so you can be certain the software is safe to download and properly licensed
- Keep records of all the hardware and software that you own as well as your cloud services subscriptions. This will allow you to check records of what you use against what you own and identify any discrepancies that might indicate problems or unsafe processes. Specialist IT Asset Management tools can act as a data repository for IT asset records, and help reconcile your records of what you own and what you are using.
- Regularly audit the hardware, software and cloud services in use within your organisation – your IT Asset management tools can assist with this but do be aware that you will probably also need to pull data from other sources such as cloud service portals.
- Check that software is patched and maintained on a regular basis, and that all machines have anti-virus software installed – an IT Asset Management tool can be invaluable in verifying that your IT systems are up to date and well maintained
- Identify unused, old and obsolete software (again, an IT Asset Management tool can help with this), delete what you can, and work with employees to migrate older systems onto upgraded or replacement systems where needed, after which the now-obsolete system should be deleted to ensure it doesn’t become a back-door into the organisation.