Software asset management (SAM) is a holistic approach to managing your software throughout its lifecycle, from the moment your organisation decides to purchase a piece of software to the point where the software is obsolete or no longer used, at which point it needs to be removed from all computers and systems.
There are many benefits to implementing software asset management some of which are discussed here. Not the least of these benefits is reducing your cyber-security risks. Below are some ideas and actions for implementing software asset management that will significantly enhance your cyber-security.
One of the great things about the internet is the ease through which businesses and organisations can access and download software which benefits their business. However, software downloaded this way can be a significant source of malware, whether from deliberate malware infections included in the software application files, or from worms infecting the download web-site itself.
Tempting though it is to allow employees to pay for and download software as and when they need it, the decision regarding which software to allow on your computer systems is one which shouldn’t be left to just anyone – it’s too dangerous.
Put in place systems that enable employees to request the software they need. Have single points of contact for the purchase and download of software – people who are aware of the risks and can make an informed judgement on whether to allow the software into the organisation. The priority is to ensure suspicious software and web sites are identified BEFORE malware is accidentally downloaded.
Another common source of malware is unlicensed software. Although software may look legitimate, it can come pre-infected with malware, and will not be eligible for the software patches and bug-fixes regularly produced by software publishers.
For example, within the last ten years, both the Conficker worm and the Citadel botnet posed most risk to users either downloading unlicensed software or using PCs which contained unlicensed versions of Microsoft Windows pre-infected with the malware.
These days the biggest risk is from employees purchasing illicit software on the internet using their credit cards. Have a policy that all software must be purchased by an authorised employee from a legitimate reseller. The software should be paid for either through a standard invoicing process or with a corporate credit card.
To reinforce your software procurement policies and further reduce the likelihood that employees purchase software and IT services using their own credit cards, have a policy – which is strictly enforced – that employees are NOT able to claim purchases of software or other IT services as a business expense.
It is difficult to exert control over assets which you aren’t aware of! Although regular audits can be time consuming and costly, they are important to ensure you have a complete inventory of your hardware, software and cloud services. Your IT Asset Inventory needs to be compiled from two angles:
The pain of IT audits can be eased through the use of specialist IT asset management (ITAM) tools. Many commercial tools are on the market, and there are open source ones available too. Be aware that despite the claims of the ITAM tool vendors, one size does NOT fit all, and you may need to leverage other tools (for instance mobile device management tools) and vendor portals (eg for cloud services) to get a complete picture of your estate.
The complexity of software code means that software publishers are constantly finding bugs and vulnerabilities within even the best designed software. Some even employ ex-software hackers to constantly test and probe applications to find vulnerabilities, so they can be fixed before they cause problems for customers!
Ensuring you are protecting ALL your hardware and virtual servers with anti-virus software is also critical, as is implementing firewalls and other tools to keep malware and suspicious files out of your organisation – this becomes much easier when you have an accurate inventory of hardware, software, cloud services and mobile devices used within your business.
Keeping on top of patches and upgrades can be time consuming and resource intensive, but it is important to ensure your organisation stays safe. Knowing exactly what hardware and software is in your environment is a critical first step in implementing an effecting patch management process. The benefits of an IT Asset Management tool are not restricted to helping you audit your estate! It can also be used to identify un-patched or out of date software and ensure that anti-virus software is installed on every piece of equipment that requires it.
Your digital surface area is a term used to cover the technology in your organisation that is connected to the outside world and which can make your organisation vulnerable to cyber-threats. As all businesses become technology companies, their digital surface area is expanding, and while that’s vital for business success in the 21st century, it is something which needs to be controlled tightly.
Just as vital as implementing controls over how software and cloud services are introduced into the organisation is identifying and removing old, unused or obsolete software.
Many software publishers only provide patches and bug fixes for their software for a limited period (usually 10 – 15 years) after which hackers have free reign to exploit vulnerabilities they identify in the software. This is one reason why the WannaCry worm was so devastating for some organisations but not for others – it targeted machines using an out of date operating system, so organisations with poor software management who had not updated their software were particularly vulnerable.
Using the data from your software audit you can identify not just obsolete hardware that can be disposed of, but also older software that may no longer be supported by software vendors. Work with employees who use the software and services to understand how they use the software and could they perhaps start using a more up-to-date alternative.
Deleting old or unused software reduces the expense and resources required to patch and maintain older software, as well as reducing your overall cyber-risk.
Belowa are the top 10 software asset management actions you can take to minimise your organisation’s cyber risks. Implement most or all of these actions and you’ll have gone a long way to defending your organisation against cyber-threats.