By Phil Packman, CISO, commercial contracts, BT
When everything appears to be ticking over in an organisation’s IT estate it’s easy to assume that its asset awareness strategy is up to scratch. Then a major incident hits and all kinds of organisations discover they don’t know what’s on their network, what risk these assets pose or how to mitigate the threats. Lack of asset awareness delays critical incident responses and allows threats to spread across networks, amplifying damage to organisations and disrupting business. This is why real-time asset discovery should be high on the agenda of every CIO and CISO.
Asset discovery goes beyond security
While incidents like WannaCry were a wake-up call for most security teams, the deficiencies they highlight have wider consequences we shouldn’t ignore. Yes, from a security point of view you need to know what’s plugged into your network and what you’re accountable for, but asset assessment is also vital for compliance, cost and management reasons.
Insufficient asset knowledge means you don’t know where your data is and can easily result in non-compliance with regulatory mandates such as GDPR, HIPAA, PCI, FISMA and many more, triggering heavy fines. Added to this, an inability to track software and hardware accurately through an up-to-date inventory has significant cost implications, too. You could be wasting money by paying for too many licenses, or not paying for enough. For example, one client we worked with turned out to be paying for hundreds of thousands of pounds worth of licensing they didn’t need.
An inaccurate inventory also leaves you open to paying to support and operate unnecessary assets. When we run inventory exercises, for instance, we often discover a whole load of equipment still powered on, and unnecessarily consuming electricity and taking up valuable data space.
From a management point of view, an accurate picture of your assets is essential to identifying technology that needs to be refreshed or replaced if it’s coming to the end of its life. And without this accurate picture, you’ll struggle to work out how you can best consolidate your supplier contracts.
A healthy network knows its vulnerabilities
WannaCry underlined the fact that, where network discovery is concerned, some visibility is effectively no visibility. Not only is that one device that’s missing from your asset inventory an easy entry point for hackers to get into your network, it’s also a point of potential network failure due to a lack of device health information, monitoring or support. Yet, according to Gartner1, half of enterprises only perform asset management once a year and 20% only once every five years.
Asset management becomes even more vital when you remember that devices are joining your network all the time, introducing more vulnerabilities – from vending machines to air conditioning systems, the Internet of Things (IoT) is increasing the volume of devices on your network exponentially. And to this you have to add the threats posed by the creep of shadow IT devices onto your network. The picture gets even bleaker when you consider that less than 10%2 of new devices connecting to corporate networks will be manageable by traditional methods by 2020.
Futureproof your asset discovery
In our experience, businesses look to asset discovery services for a variety of reasons. Some aren’t confident that their inventory is complete. Others are concerned the information in their database is inaccurate or is spread across a variety of systems, only some of which automatically update. And, in some cases, the listing is complete and correct, but it doesn’t include all the attributes they need to report on.
Businesses should therefore look to partner with a managed service company that is able to provide a full suite offering. For example, a company that builds and controls its own networks and therefore has visibility across them, as well as access to everything on them. Such a company would then be able to use the data available to them to build a comprehensive picture of assets, automating and orchestrating the discovery of devices on a network. Not only does this deliver an inventory that’s always up to date, but the client business will be better able to put policies in place that identify any new device being plugged into their network. The client business can then isolate and control the device, moving it from their critical assets into a different and suitable segment based on their business.
With news and reports of security breaches hitting the headlines every week, and as a growing number of network advances rely on a solid inventory database to function, full asset discovery and managed security services are increasingly emerging as new ways of managing assets that’s specifically designed to meet the challenges of today, as well as those of the future.
1. Gartner, Market Guide for Operational Technology Security, 2017
2. ForeScout Technologies, Internet of Things Solution Brief, 2017