Technology is becoming more sophisticated and advancing businesses of all sizes every day. So much so that companies are increasing their IT budgets to keep up with customers, competitors, and industry demands. In fact, according to SpiceWorks’ 2019 State of IT report, 89% of businesses expect IT budgets to grow or remain steady this year. Furthermore, increased cybersecurity concern is the third leading factor (56%) for increased IT budgets.
While it’s encouraging to see that IT decision makers are concerned about cybersecurity, you can’t secure a network if you don’t know what’s on it. Whether you plan on investing in new software or hardware for your organization, you first need to know what technology exists in your environment before you can safely move forward.
This installment of our cybersecurity best practices series will focus on the importance of environment assessments and asset management. The last piece in this series discussed assessing the data you’re storing within your environment, but today we’ll look at the software and hardware which data is being stored in.
Understand Your Asset Infrastructure
A consistent asset management program keeps track of your entire infrastructure on an ongoing basis—it inventories the contents and activities of your existing servers, changes in compliance mandates, and the security features of your network. Asset management keeps you up to date on everything in your environment so that you know what to secure and where you’re vulnerable to potential threats.
To begin, you’ll need to conduct a thorough environment assessment to identify and classify every element of your network. Once completed, every asset should be classified by the data it stores, the duties it performs, and where it exists on your network. The classifications should reflect the unique characteristics of your business as well, such as business criticality.
It’s not just computers and servers which you need to look at. A comprehensive environment assessment incorporates every device connected to your network, publicly or privately accessible. It includes smart devices that provide physical security functions—such as security cameras or biometric scanners—as well as smart controls for electricity and other utilities. It also accounts for peripheral devices like printers, faxes, scanners, and external hard drives, as well as your employees’ personal phones, tablets, and laptops when connected to your network.
Networks are inherently volatile. As your business buys new equipment or disconnects older items, upgrades capabilities or forges new connections with customers, vendors, and employees, your asset landscape changes. Asset management is a continual project—not a one-and-done analysis.
Identify Cybersecurity Weaknesses
During the assessment, you also need to identify risks. For example, say you have a printer in your billing office that’s only connected to your internal network. That seems safe enough. However, there’s still a risk that an outside party could infiltrate it, either by physically entering the office and breaching it or by hacking into the internal network from outside. A printer, as innocuous as it seems, could allow a hacker to read sensitive information sent to the printer or use it to pivot to previously non-accessible networks. Environment assessments allow you to understand where the most vulnerable assets and networks are and flag potential security gaps in your network topology or systems configurations.
Asset management programs and environment assessments also allow you to identify old hardware and legacy systems that are still being used. Cyberincidents such as WannaCry, NotPetya, and the Equifax breach are all cautionary tales of what can happen when using legacy systems or leaving vulnerabilities unpatched. Not only do these systems present increased vulnerabilities, they’re more difficult and time consuming to maintain for that exact reason. The good news is that companies recognize these threats. According to the 2019 State of IT report, the need to upgrade outdated IT infrastructure is the biggest driver of IT budget increases in 2019.
Whether it’s by implementing a new layer of security, patching vulnerabilities, or removing an outdated system from your network, once you’ve identified the risks your assets pose, you can apply the appropriate security controls.
Tools for Asset Management
Asset management—identifying, classifying, assessing assets and risks, implementing security—sounds like a lot of time, energy, and resources that you may not have. Fortunately there are tools to help you assess and manage your existing infrastructure, the data stored within, and the cybersecurity measures behind it.
Typically, you install and configure these tools on your network and they begin a continual discovery process. This can often be augmented by writing business rules that auto-classify assets and assess their level of exposure to online threats. These tools can map your assets and determine how (and whether) they are connected to your network. They can also provide easy to understand risk assessments and recommendations for security fixes.
A good asset management program can protect not just your physical assets, but your entire business. Knowing where your data resides, how it is accessed, and where your greatest security risks are, helps you secure your infrastructure so that you can concentrate on your core business. Furthermore, an asset management program allows you to plan for the future of your company, budget appropriately, and determine what new technologies you can implement to help your organization meet its goals and keep up with industry peers.
We’re just over half way through with our cybersecurity best practices series, but don’t worry! There’s still more to come on how you can secure your organization effectively. Stay tuned!