Information and Asset Management
Security tools and increased awareness are key to keeping a company secure, but many companies also need help with a basic question: What, exactly, are they protecting? Many companies simply don’t know what they have and what they need to protect. When we do asset discovery services for companies, we almost always find a lot of assets that belong to the company without the company being aware of them. In one instance, the company thought they had way less online systems and related IP addresses than they actually did. Upon discovery, we found one-third more IP addresses and related systems than what they thought should be there. That’s forgotten, new, undocumented, or lost live IT systems that belonged to the company—hundreds of live systems—and they didn’t have a clue. Most importantly, these systems were not recognised as their assets and were not managed.
If you can’t manage it, you can’t secure it! Conversely, if you manage it well, making it secure is easy.
In this domain, companies deal with assets like computers and information. These assets are critical to the business because they create revenue or shareholder value. If information or assets are stolen or damaged, the repercussions can be devastating. Organisations can fail if they don’t do this well. Not only in the security space but also in terms of business success. Organisations can incur major losses if they don’t get this right.
Because these assets are so important, companies must keep track of where these things are and how they’re being used. Information and asset management is not just a matter of having a list of everything the company owns—it’s also about how those assets are managed.
For example, we learned about a medium-size city in Europe that leased their computers instead of owning them—around 22,000 machines, and they were paying hundreds of dollars every month for each of those computers in leases. That’s not a small amount of money. They used an infrastructure vendor who had a process for delivering new laptops and dismantling the old ones, and they handled the whole process for this municipality. When someone started working for the municipality, he received a new computer from the vendor. When they resigned, the laptop was either scrapped or traded to another user. In theory, this is an asset-light way to manage the end user devices in IT.
The problem here is that the vendor did it all. The municipality oversaw only part of the process, which was fine; it made sense to externalise most of the service. But they also externalised control of the service. The vendor was controlling the number of the laptops and the inventories. This went on for years.
What could go wrong? Plenty.
When the municipality did an audit to look at their inventory of computers, they were surprised to learn they had no inventory of the laptops at all. They didn’t know how many computers they had or even if they were being used or not. They had no way to verify whether each of the laptops was still there, and in many cases, no way of knowing which user was using which device.
When they finally did the inventory audit, the result was horrifying for the city. Out of more than twenty thousand laptops and computers that the city was paying for, about ten thousand did not even exist any more. They were just gone. Nobody had any idea where they went. Think about that number—ten thousand computers disappeared. That’s ten thousand laptops with hard drives containing potentially sensitive or private information that had gone missing.
The saddest part, with the biggest impact, is that the city had been paying for those ten thousand non-existent computers every month. That’s a huge amount of money wasted. Taxpayers were not happy. Of course, there was a lawsuit, a public case that inflicted a massive hit to the city’s reputation.
Asset management is a big deal. It must be done properly. Even if an organisation outsources their asset procurement and leasing to an outside vendor, management and inventory of those assets must remain an inside job.
Know What You Have
Simply put, if you don’t know what you have, you can’t protect it. Information asset management means being aware of your assets and understanding how to protect them. There should be some kind of policy—you can call it information management, information security, or asset management; the name is not important. The policy should state what the company wants to do with all its assets—how to acquire them, manage them, and dispose of them. It should include a process for verifying, auditing, tracking, and acquiring assets.
If you don’t know what you have, you can’t protect it.
The policy should cover laptops, servers, information, acquisition of services, software, and licencing. Many of these are physical assets that you can see, feel, use, and touch. Companies usually can handle inventory of physical assets but often have a much harder time dealing with virtual assets, like server space, software, licences, customer records, and databases. These are less tangible assets, but they must also be covered under asset and information management.
Protecting Physical Assets
Let’s start with physical assets—things like servers, laptops, tablets, and mobile phones. Many companies don’t know what physical assets they have. It gets more and more complicated to track these things as more people use their networks and personal devices, like iPhones and computers, for work-related communications. In many cases, the company might not even own the devices that their systems are running on, so they don’t have the right to mandate what should or shouldn’t be done to secure them.
Companies actually prefer not to own these devices. If a physical device is required, they’d rather let the employee buy it themselves or lease it for the employee. Leasing means you have to manage the service but not the asset, so it’s an attractive option, especially in smaller companies. Leasing, however, doesn’t release the company from the responsibility of understanding and managing what they have.
One solution is to use a mobile device management service. In these plans, people who bring their own cell phone to work and want to use it for work tasks can join a mobile device management service that creates an asset directory. That gives the employer certain device management rights, such as the ability to wipe the devices if lost or stolen, and to configure security settings. If you plan to go for this option, make sure that your users understand the fine line between their personal and work use, and that they are giving away some of their rights when they use personal devices at work. Get this in black and white. It’s probably a good idea to talk to the legal advisor about how to formulate this on paper correctly. Invasion of user’s rights may backfire if the company goes carelessly into this space.
IT has traditionally been effective at managing their IT devices. They’re used to having racks of servers and piles of laptops, and they usually know who uses what equipment. They just need to make sure to put that information into Excel sheets.
In the past, there used to be just a few servers in a whole company, so creating a list of servers with information about what was in the server and where it was located was not complicated. Nothing more was needed. Now there’s a multitude of different devices: servers, workstations, mobile devices, private employee devices, and so on, and there’s no single role in the company that can manage them all and the information contained therein. These devices contain all company information, along with any personal information on customers and employees.
Perhaps there is one quality that we’d like to highlight in this context—it is punctuality and capability to organise. People who take care of IT assets in companies should have both. For example, we’ve seen many system and network administrators who oversee a large number of devices across the enterprise. Not all of them are both punctual and organised, and these personal traits are reflected in what their infrastructures look like. These kinds of people like to keep things tidy, tolerate no mess, and naturally like to make lists of things like servers, IP addresses and keep everything in check. The flip side is that other people might find this attitude as nitty-witty and not very helpful. But believe us when we tell you that this is for the best of the company’s cybersecurity.
If you want your IT assets managed well, hire someone who’s both punctual and organised.
Subscribe To Our Newsletter
Get the latest intelligence and trends in the cyber security industry.
Labels and Priorities
Knowing what the company owns—servers, computers, information—is the first step. Classifying and prioritising those assets is the next logical step. Putting security labels on information and documents is an old practice that has its roots in defence and government practices. The idea is that once a label is put on a document, the reader should know how to handle it.
Most commonly, companies opt to go for three- of four-step labelling categories. We like simplicity because it’s easy for the users to remember what the labels mean. An example of such a categorisation system would be:
Want to make it simpler? Just drop out the last “Secret” category. People often find three categories easy to grasp.
Those labels may be helpful in communicating to the reader how important the information is in each document, but the terms aren’t clear to everyone. Employees often have difficulty understanding the difference between internal documents and confidential documents. They aren’t sure which documents should be sent to employees and which to partners. They can’t decide whether to give an internal document to a consultant. Even top executives and security managers struggle with making a distinction between what should be labelled “Confidential” and what’s “Secret.”
The best solution is to have a simple rule about labelling things like documents, emails, faxes, and other information. Give employees clear if-then statements: If you’re giving internal or confidential documents to somebody, make sure they have a working non-disclosure agreement in place with the company. If you create documents and give them to someone else, label them yourself. If the document has confidential information, place the word “Confidential” in the header or footer. You’ve probably seen the disclaimer clauses in many official email footers. It’s the same thing but with a bit of legal jargon to spice it up.
A simple trick is to make official document templates in Word and PowerPoint with “Confidential” or “Internal” labels already present on the documents by default. Then, when employees use company’s official templates, they’ll open up with the default label already there. People will make mistakes anyway and won’t pay a lot of attention, but at least you will have a default label on the documents. One more idea—add a unique innocent-looking identifier to the footer of your document templates. Something that’s unique to only you. If there’s a data breach, you’ll be able to search for that identifier by using a breach monitoring service.
Manual process of labelling information will fail at some point. Any information that’s crucial for making money and growing the business, or trade secret information that could be harmful if leaked or damaged, should be secured pretty well. That costs money and time, of course, and should include things like data encryption if it’s being sent over the network to other people. You might want to look into things like email encryption, data loss prevention, and related technologies. Yes, more securely stored data means that it’s going to be harder to access, even for the people who actually need it. That’s the double-edged sword of securing data by encrypting it.
One more thing that companies should keep track of under information and asset management is licence management. Many products and services that companies use are governed by a licence agreement. If that licence agreement is violated, there could be serious consequences, including fines and penalties.
Unless a company practises good licence management, they may be overpaying for too many licences or underpaying for not enough. If the company is underpaying, a whistleblower could turn them in and get a reward. Say you’re working for a major corporation that you know isn’t paying their Adobe Illustrator licences for 500 users. Whoever tips off Adobe could get a fat check in the mail as a whistleblower. And yes, there are service providers who sell this as a service and pay for the whistleblowers.
Companies should monitor their licences diligently. Treat them like other assets in the information and asset management system.
A Market for Secrets
Good asset management extends to the point when a company gets rid of old assets. It’s not just buying and managing what you own but also about destroying it securely after you don’t need it anymore.
There is a market for secrets, and criminals use all kinds of illegal means to access and obtain secret information that can be sold. In the news recently, an e-waste recycling company got busted when it turned out that certain employees at the company were stealing hard drives out of computers that were supposed to be destroyed, and then harvesting the data for sale.
There are also many stories of dumpster diving criminals who steal paper documents out of the trash. This happens to many different types of organisations—like healthcare companies who were dumping customer records with medical info by the lorryloads, until someone found them. Dumpster diving is still very effective in this modern age.
Security against these kinds of attacks doesn’t have to be complicated: get a decent shredder for a thousand dollars. Pay for a good one. Not only should it process without jams, but it should process CDs and DVDs, plastic binders, and paper and do cross-shredding. It should be up to the task with a big container suitable for commercial office use. Place shredders where paper is used a lot and where sensitive data is being handled—where people use the papers—printer rooms, the offices of the HR department, and so on.
To guard against hard drives getting stolen from the e-waste recycling plant, use full disk encryption on all devices—mobile phones, laptops, and desktops. After the computer boots up, the first thing it does is decrypt the hard drive. If the thief doesn’t have the password, he cannot read the data. If he removes the hard drive and tries to read it with a special device or another computer, all he’ll see is scrambled data.
Encryption of the entire hard drive can be enabled in Windows, on Macs, or on Linux operating systems quite easily. Hard disk encryption used to require specialised software, but it’s now available out of the box and simple to put into use. There is no reason not to use data encryption on all of the devices your company has. Have this requirement in your policies and include steps to do it in device management procedures.
Finally, we have an example of a company that was leasing printers. Modern printers have mini servers with operating systems and memory; quite often, it’s a simple Linux server. Every time someone prints a document, that information is stored in the printer, including things like employee agreements, business agreements, lists, graphs, trade secrets, and internal presentations—just to name a few. And that information will be stored on the hard disk of those printers. This company was leasing printers, and once the lease ended or they replaced a device, criminals stole the information from the hard drives of those printers. None of those devices had any encryption or data wiping features on them. The data was still there. (Data that is deleted from the hard disk is not usually gone. It’s just marked as free space. Getting the data back is just a matter of reading the disk with specialised software and restoring the files.)
An organised criminal gang could go into the recycling business, start buying used printers, then harvest valuable information off the hard disks. The thief could be anybody; it might be a custodian or a maintenance person, or anyone who has a hobby of hacking information and frequenting dark web forums looking to trade secrets for money. And this has happened many times over already.
There’s truly an economy out there for secrets.