“Know yourself” might sound like wishy-washy, Instagram-filtered, self-help claptrap. Yet in reality it’s incredible business advice.
When we know our own strengths and weaknesses, we instantly know what essential business tasks we’re going to excel at and what things we should perhaps delegate or outsource – whether it’s on a personal level or in respect to your business as a whole.
In the current cyber frontiers of the 21st century, “know your tech” is equally sound business advice. You need to know the risks out there of course; and for that, SonicWall’s 2022 Cyber Threat Report is an eye-opening read. But by knowing the exact ins and outs of your IT estate, and balancing that with an outward focus on cyber-risk, you achieve a realistic awareness of your own IT strengths and weaknesses.
When you know your strengths, you know what storms you can likely weather. And when you know your weaknesses, you’re rewarded with the opportunity to put them right before disaster strikes.
Of course, “knowing your tech” isn’t what we in the tech community call it – we refer to it as ITAM, and it’s a crucial step in reducing your cyber risk. Let’s get stuck in.
What is IT Asset Management (ITAM)?
IT Asset Management (ITAM) is the process of inventorising all of an organisation’s IT assets. IT assets include tangible things like hardware and mobile devices as well as intangibles like software and online resources.
When you have an accurate and up to date inventory of your IT estate, you can better deploy, update, and maintain your IT investments. It gives you a totally informed picture of your IT’s practicalities, your level of cyber-risk, and your cybersecurity posture as a whole.
What counts as an IT Asset?
An IT asset is basically any instance of tech within your organisation. There are numerous ways of breaking the concept down into composite categories, but we find these 5 categories to be the most illustrative:
- Static Endpoint Hardware: PCs, Printers, Smart Devices, Servers, Internet of Things Devices
- Software: Operating Systems, Productivity Suites, Accounting Packages, Industrial Control/SCADA Software, Endpoint Protection Tools, SaaS Resources
- Network Infrastructure: Switches, Routers, Firewalls, Servers
- Mobile Endpoint Devices: Laptops, Smartphones, Tablets, Mobile SCADA/Industrial Control System Hardware
- Cloud/Web Resources: Your Website, Cloud Storage, Cloud/SaaS Software
Why all organisations should practise it asset management
Proactively avoid cyber-incidents
You can better defend what you know you have. Instead of floundering in the dark, ITAM gives you a crystal-clear picture of your entire IT estate, the risks you face, a chance to proactively minimise those risks, and a chance to formulate a plan of action in case each risk does come to fruition.
Get the most out of IT assets
Exploring the ins and outs of your entire IT estate can help you make the most of what you already have and use. By recording your current IT assets, you can provision your existing IT more effectively, identify upgrade opportunities, and properly rationalise your investment in new IT.
Protect high-risk data & processes
Under UK GDPR, any organisation that possesses personally identifiable information has a responsibility to maintain the “confidentiality, integrity and availability” of that data. IT asset management helps you to better understand the hardware and software that props up your data processes and can inform appropriate security measures.
Useful for insurance & accounting
Keeping a precise, up-to-the-minute picture of what IT you own and when it was purchased helps your contents insurers recommend the right levels of cover and also helps your accountants calculate capital expenses accurately too.
How to start doing basic ITAM
Investigate your network hardware
Start by building an inventory of all devices connected to your network. Start with the obvious devices you know and use every day and proceed to hunt down and catalogue every device that connects to your network infrastructure.
This can include seemingly innocuous IoT devices like smart speakers and lighting; networked industrial control or SCADA devices; and internet-enabled buildings access management systems.
Remove any devices from your network that don’t need to be connected (such as shadow IT) and record the rest. Bring together all of the data you can about the devices in your care, such as purchase dates, lease renewal dates, serial numbers/IMEIs, MAC addresses, etc.
For now, focus on getting as complete a picture as possible. Other devices are likely to sneak out of the woodwork as you continue your ITAM journey – that’s OK, just add ‘em to the list as they appear!
Catalogue your software
As you catalogue your network’s hardware, start to record the software on each device too. Keeping an eye on the software you use is both an essential part of ITAM and an important step in the fight against malware.
You see, zero-day malware often breaks into a device by harnessing hidden security loopholes inherent in software. As software vendors discover these loopholes, they close them with updates. Hence why it’s always advised to update all software as soon as updates become available.
Alongside each hardware entry, record the software that it uses: the version number and/or name of the operating system(s) on each device; what software is installed on each device; what version number of that software is currently installed; licence information for that software, etc.
This also gives you an opportunity to examine the use of software across your organisation. Are you over-purchasing software? Are you giving priority access to software and resources to team members who really don’t need them? Are any team members using free software or SaaS tools that haven’t been OK-ed by your IT team? Revisiting software in this way can help you streamline your SaaS and software spend and help you reduce your cyber risk.
Know your network’s layout
Now you know what devices you’re dealing with; establish how exactly they connect to your network. When you know exactly how your network devices connect together, you can better understand how vulnerabilities can creep into – and indeed across – your infrastructure.
If your network consists of PCs all connected to the same switch, record which local IP address and which physical “socket” (or “port”) each device uses. If you have some devices that connect via WiFi, record their local IP addresses too.
Side Note: ITAM & Remote Working
ITAM is arguably most critical when it comes to remote workers, though it becomes a little more complicated to manage at a distance. Naturally you need to record each device, the software used, and how it connects to your internal network infrastructure. But it’s also well worth noting what hardware is in which employee’s care and considering how you will recover physical assets when a remote worker leaves your team.
Record each device’s purpose & criticality
This one’s essential yet often overlooked. How critical is each device to the smooth operation of your network and your business? What is it there to do? How well does it fulfil that purpose?
You may find it useful to track device purpose and criticality in a matrix of sorts: with “Critical,” “Nice to Have,” and “Surplus” across the top; and “Useful,” “Needs Improvement,” and “Barely Serves Purpose” across the side. It can help you prioritise which IT investments are really worth your time and which ones should be deprecated or replaced. Whittling down the older IT under your care can help you to minimise your risk surface too.
Consider ITAM software
If you’re a relatively clerical microbusiness with fairly static hardware, you can probably record much of your ITAM data in a spreadsheet. However, if your company is larger, growing rapidly, or relies on remote workers, you may struggle to reliably keep this information up to date. Even if you are a smaller business, if you don’t have a full-time member of staff to take care of IT matters, your ITAM spreadsheet may end up languishing at the bottom of an ever-growing to-do list.
ITAM software automatically keeps tabs on everything we’ve discussed here in real time whilst also recording network usage and IT support tickets too.
Review your network and cyber defences
Now you have a clear picture of your network infrastructure, it’s time to delve into your cyber and network security defences – our favourite bit!
Working with the information you’ve already collected; you may find some IT security “low hanging fruit”: maybe some devices are missing crucial endpoint protection like antivirus or MDR; maybe some devices are connected “in front of” your firewall; maybe you’re using “end of life” IT that’s in dire need of an upgrade.
If you’ve recently undergone rapid growth or change, take a look at your firewall’s throughput capabilities alongside actual usage data. If you’re still using the same firewall as before, you may need a different level of protection now. Alternatively, if you’ve shifted to remote or hybrid working following the pandemic, you should check the number of remote or VPN connections available through your firewall. If you need help with this, our friends at Just Firewalls are ready and raring to assist!
Whilst you have your network security hat on, take a look at your network security policies and alerts (and if you don’t have a means to set security alerts and policies – get one!). Are there any low-impact alerts that occur time and time again that could be collated into a daily digest? Are there any alerts or policies that are too strict or too lenient? How frequently do you or your team check security logs? If anything doesn’t pass muster – here’s your chance to put it right.
Create an information security risk register
With a fresh picture of your cybersecurity landscape, you’ll be in a much better position to create a proper IT risk register.
What is an Information Security Risk Register?
An information security risk register is an exercise used to identify potential cyber and network security risk factors within an organisation or project. The more general concept of risk registers comes from project management disciplines like PRINCE2 but they’re useful for any kind of business continuity exercise.
A good risk register is effectively a table that contains the following information:
- Each Potential risk (A description of each risk that could take place.)
- Possible causes/antecedents of each risk (What would have to happen for this risk to become reality?)
- The potential outcomes of each risk (Describing what would happen should this risk take place.)
- The likelihood of each risk happening (How likely this risk is, usually in terms of “low/medium/high.”)
- The severity of each risk (How badly the risk would affect business, usually in terms of “low/medium/high.”)
- The costs of each risk (How much it would cost you, in terms of money and time, to put things right.)
- The potential impact of each risk (What other impacts (e.g., legal, reputational, etc.) could this threat bring?)
- The mitigation factors for each risk (What plans do you have to keep this risk at bay?)
- The plan of action should each risk take place. (What plans do you have should this risk happen?)
Consider investing in network security monitoring
Now you should have a good grounding in what IT you have and what risks you face. However, there is an additional important aspect that we need to touch on – usage. And there’s no better way to ensure that your IT is being used in a smooth and secure way than network security monitoring.
Thorough network monitoring can help you unearth new risks you may not have identified; it can tip you off to security threats before they become larger issues; and can provide precise, forensic activity logs if something does go awry.
… and repeat!
If you’re not relying on IT asset management software to automate this process, it’s something you will need to check in with regularly. Diarise a slot every 1-3 months to check in with your IT and update your records.
Need some help calculating your precise risk profile? Perhaps you’d like an expert to review your current cyber defences? Or maybe you’ve identified a need for outsourced, forensic network monitoring?
If you need a helping hand with anything cyber or network security, reach out to the experts at Just Cyber Security.
Drop us a line today or chat with one of our experts on 0808 1644414!