IT security exists to protect your assets. But, is your full IT asset list truly taken into consideration?
Although CFOs expertly track every large purchase and ensure each is inventoried annually, that list usually fails to provide the full IT asset list your team must protect.
While some assets may be obvious, others have a tendency to slip through the cracks.
Let’s take a look at some of the most common, as well as a few that might fall into the ‘forgotten’ pile.
After all, a neglected, forgotten device is all too often an attacker’s best friend.
Blinking Boxes Big and Small
Some assets are obvious, like the big cabinets with flashing lights in the server room. These assets will generally be on that CFO IT asset list and easy to track.
However, much less obvious will be the Internet-of-Things (IoT) and Operations Technology (OT) that have become increasingly connected to the internet and our networks. IoT devices range from critically-useful medical devices monitoring patient health to questionably-useful smart toilets.
In a survey of 200 enterprises, 70% planned to have more than 50,000 IoT devices deployed within the next two years.
Unfortunately, device manufacturers rarely place security concerns at the top of their design priorities.
That leaves your IT and security teams to pick up the slack against the threats from these vulnerable devices.
One notable example includes vulnerabilities permitting Evil Programmable Logic Controller (PLC) attacks, from industrial equipment against connected workstations.
In another, Point-of-Sale (POS) malware bypassed credit card security to steal card transaction information.
In both events, it didn’t matter who was to blame for the lapse in security. The damage was done regardless.
Knowing Your IT Asset List Is Half the Battle
National Security Agency (NSA) guidance, published to help OT and other Industrial Control Systems, applies equally to IoT.
However, it’s also based on a critical assumption – that you know about the asset. Your organization must constantly scan your infrastructure to inventory new or unregistered assets.
For example, an IP address scan of your IT environment may discover:
- A new iPad, purchased by marketing, that needs device management software and antivirus
- An Alexa smart speaker installed by the finance department bookkeeper
- A new breakroom fridge connected to the internal network instead of the guest wi-fi.
- A new virtual network of several servers and a virtual router running in the data center
Not only do these devices need added to your IT asset list, but your team needs to secure them, too. That said, the risk to your organization lacks context unless you know the data flowing through or stored on such devices.
For example, if the smart speaker captures every time someone uses “my voice is my password” on the banks’ verbal multi-factor authentication, that device poses a larger risk than a similar device in the warehouse that captures the shipping schedules.
Now, you’ll need to keep in mind that not all assets will be connected to your organization’s internal network. And, although these devices may be more difficult to track, efforts should be made to find and protect rogue devices, such as:
- A critical assembly-line tool connected via 5G to the manufacturer
- A software development environment hosted on a platform-as-a-service cloud environment
- Security cameras set up to monitor the server room inadvertently connected to the guest wi-fi for the company next door
IT asset lists aren’t always the easiest to maintain, especially in large businesses with lots of moving parts. However, without an accurate assessment, it’s hard staying secure.
Hidden Assets: Data
Along with physical devices, you’ll also want to scan for critical data.
After all, it’s easy to think company policy limits where social security numbers, credit card numbers, or healthcare information is officially stored. But, we all know that a policy does not equal compliance.
Even a 90% compliance with instructions can still allow critical data leaks through simple mistakes. For example, the personal information for the entire population of 460,000 people in Amagasaki, Japan was left on USB drives lost by a drunk employee.
Intentional or not, it still happened.
A good test for assessing the value of the data is to consider the drunk employee example. If the data in question were to be lost and made public or fall into the wrong hands, what would be the damage?
It’s a good question not just for creating your IT asset list, but for all facets of your cybersecurity.
Locating and Controlling Assets
To prevent serious consequences from accidents or malicious attacks, you need to identify where the physical and virtual crown jewels are located in your company. Then, ensure they’re properly protected at all times.
To achieve this goal, you’ll want to perform a regular cycle of:
- Checking for assets
- Observe the environment for potentially connected devices or equipment
- Scan the network for devices
- Scan devices for critical data
- Categorizing and assigning risk values (preferably dollar amounts but at least high/medium/low)
- Moving data or devices as needed to improve security
- Adjusting data and asset security protections
We understand not every organization has the internal resources or tools to consistently perform each step of this process.
But, that doesn’t mean you should just ignore the problem. After all, help is only a phone call away.
For assistance, simply contact us at 412-349-6680, or fill out the form below. Our experts will provide a no-obligation review of options for scanning, IT design, cybersecurity monitoring, and other means to protect your organization.