Interested in improving cyber security with SAM? Here’s how to do it

Software licensing is often seen as a cost-minimising function of IT management. But what often remains overlooked is the importance of software asset management (SAM) for driving successful digital transformation and improving cyber security.

Our recent research revealed that cyber security is a key concern for IT and business decision makers when it comes to driving digital transformation, with two thirds of decision makers worrying about data protection (33%), loss and recovery (29%) and getting qualified personnel (28%).

The truth is that even the best intentions can expose your business to security vulnerabilities if transformation programmes not backed up by a firm understanding of where all of the company’s software assets reside, how they are being used, and who needs access to them.
When integrated with cyber security policies, SAM and information security tools can become mutually reinforcing, helping improve your business’ resilience to cyber threats. However, when SAM is overlooked, it could open your organization to cyber security vulnerabilities.


Here is a list of some of the most common cyber security risks arising from poor SAM and how to address them:

  • Using outdated software: Research from the security firm Avast revealed that 52% of the most popular PC applications around the world are out of date, exposing individuals and SMEs to security vulnerabilities. Outdated software applications are not equipped with the latest security patches and updates to address emerging security threats. As a result, they are easier to hack should they become targets of a malicious attack.
  • SAM can help minimise this risk by identifying outdated software and enabling IT managers to take action at upgrading old applications. Upgrading outdated software reduces the exposure to vulnerabilities through effective patch management processes and validating access controls. To be able to do this, SMEs need to establish effective software auditing practices that provide them with a transparent view of all software assets within the business and how they are being used.
  • Relying on old hardware: While software typically poses greater security risk than hardware, many hardware vulnerabilities actually arise from software issues. Unfortunately, many SMEs still reply on old computers, routers and laptops that don’t have important built-in security features, such as Unified Extensible Firmware Interface (UEFI) with Secure Boot, a self-healing basic input/output system (BIOS) and self-encrypting drives. While these features can’t prevent security threats on their own, they greatly improve the security of business and personal computers. This is why it’s important that businesses adopt a holistic view of their IT assets inventory and view SAM in connection to the rest of the IT assets of the business. Only by unearthing the vulnerabilities that lie within both software and hardware systems, can SMEs ensure their cyber security defenses are strong.
  • Allowing unauthorized software: Recent data shows that on average one out of four employees has installed software on their business computer that was not approved by the IT department. Using unauthorized software can have many negative applications for businesses – from the legal risk of getting embroiled in a lawsuit for licensing terms infringement through to incurring fines and creating cyber security risks. Unauthorised software can oftentimes contain malicious software, such as Trojans, viruses or spyware, which can crash the IT systems or provide unauthorized access to confidential business data. Another issue is that pirated copies downloaded from questionable websites or peer-to-peer networks often do not provide security updates, opening up the corporate network to security vulnerabilities.
  • To mitigate this risk, SMEs should create a catalogue of software that has been approved by IT from both a functionality and a security perspective, and establish a formal request process. This approach will help prevent unauthorised software from being installed and will allow IT managers to detect and remove unwanted and unsupported software.
  • Lack of effective software retirement processes: Many businesses focus most of their SAM efforts on acquiring and managing the use of software assets and put less emphasis on the process of retiring redundant applications. This can potentially expose the business to security risk as unused software applications often go ‘under the radar’ of SAM management policies and can become a source of security vulnerabilities.
  • To overcome this challenge, SMEs should establish an end of product/agreement lifecycle which includes clear rules for retiring old software applications and transitioning from one vendor to another. Using SAM management tools to identify software that approaches end of life will give IT managers more time to prepare their next move and replace critical applications in a seamless manner.
  • Poor IT security policies: There is a lot of data that suggests that people are the weakest link within organisations’ cyber security strategies. In fact, a recent report revealed that 78% of security professionals think the biggest threat to endpoint security is the negligence among employees for security practices. This is a big concern for businesses.
  • To be able to address this challenge, SMEs should ensure they have effective internal policies for software use and awareness training that helps new and existing employees understand the impact of their software use on the business. Quite often the biggest security threats resulting from employee actions result from a lack of awareness of the security implications of those actions, not from deliberate malicious intent.

It’s important that SMEs understand the true impact of SAM on their cyber security strategies and take adequate measures to integrate SAM into their cyber security policies. SAM can play a key role in providing full transparency into existing software assets, monitoring their use, and helping to ensure that appropriate security measures exist around them. This could help spot potential security vulnerabilities ahead of time and enable IT managers to take effective action to prevent them.