CEOs and CISOs rely on IT teams to protect their companies from cybersecurity issues, but they may not be covering all their bases. After the necessary firewalls, intrusion prevention systems and anti-malware products have been put in place there is one area of IT infrastructure that companies are leaving wide open to attack: their software portfolio.
Software is the ultimate attack vector. Rogue applications are a popular tool among cyber-criminals, who use malicious software to mount attacks on corporate networks. Unless a company has a complete picture of what is running on its systems, it could be under attack and not even see it.
Cost of Security Failures
A company’s awareness of its own software inventory directly affects its corporate risk, at a high level. The cost of data breaches in the UK is soaring, according to research published this year by the UK government, in conjunction with PwC.
In 2014, cybersecurity breaches for large companies cost between £600,000 and £1.15m on average. IN 2015, the average cost window ranged between £1.46m and a whopping £3.14m. Smaller businesses are also finding data breaches more painful, with the cost rising from £65,000–£115,000 IN 2014 ago to £75,000–£311,000 IN 2015. Factored into these figures are costs incurred through business disruption, lost sales, asset recovery, and compensation. This years costs will be significantly higher as the fall out of ransom ware like WannaCry and Petya are still being counted.
The Dangers of Software Blindness
One of the biggest vulnerabilities in an organization is old software. Many companies have difficulty organizing security patches for current versions of software, but older versions represent an even bigger security threat. Outdated browsers, for example, are a gift for attackers.
Similarly, unauthorized installations of software on corporate PCs represent a big threat. Pirated, unlicensed software is frequently infected with malware, for example, while software legitimately paid for but not authorized by IT can also broaden the attack surface because it will inevitably contain its own security vulnerabilities, or offer features that could lead employees to compromise the company’s data.
How SAM can help
Board executives need to be sure that their IT departments have control of this situation, and are using the appropriate tools to both lock down unauthorized software installations and keep track of what is on the network. Software asset management tools can help in a few ways.
Two of the most useful features in these tools are blacklisting and whitelisting. Blacklisting prevents particular software from being installed on the system, typically based on a digital fingerprint or signature, effectively locking out a known subset of dangerous software.
Whitelisting takes this a step further, allowing only a pre-authorized list of software products to be installed on a system. This enables IT administrators to lock out anything that their software team hasn’t approved by default.
Whitelisting not only protects corporate computers from unauthorized software, but can also form a platform for improving the level of service that IT provides to employees. Armed with a whitelist and the tools to enforce it, IT departments can create self-service portals that enable employees to install software from this pre-authorized list as they need it. Imagine the equivalent of an online app store for your company, and imagine what this would mean to employees who want the same kinds of experiences as with consumer devices.
Competent software asset management tools will also scan installed software for out-of-date versions, bringing them to the IT team’s attention. This empowers them to update that software, negotiating new licenses with their vendors if necessary.
Companies can also use SAM to avoid one of the other threats to corporate security: unauthorized users. When employees leave a company, poor management practices can leave their software user accounts open, enabling attackers to impersonate them and use the software to access company resources.
Automating the reassignment of named licenses for company software helps to eliminate this risk, ‘tying off’ loose ends when an employee leaves or changes their role within the company, and closing those potential loopholes.
Companies without the tools to gather information and enforce these policies risk a chaotic and opaque software environment, in which security threats go unnoticed. So, the first question that board-level executives should ask in the next meeting with the IT team is: how confident are you that you know what’s running on our networks?