The big cybersecurity news over the past few weeks has been the Log4j vulnerability. Without going into too much detail, Log4j is a common logging tool embedded in tens of thousands of applications that are running on countless computers. Late last year, an unknown party released information on how to take advantage of a vulnerability in the Log4j code. That means that, for the past month or so, anyone on the internet could, in theory, exploit any system running software that includes the Log4j tool. Companies have scrambled to apply patches to fix the problem.
Whether your IT team was able to salvage any of the holiday break largely depended on how well your business manages its asset inventory. Organizations that do a good job tracking their hardware and software had an easier time identifying vulnerable systems and rolling out the required updates.
Those without inventories? Well, let’s just say IT may still be trying to apply patches a full month after the world learned about the problem.
If your security and IT colleagues still seem less than well-rested, that’s because they burned the midnight oil as they scrambled to identify and patch each and every vulnerable system on your network — potentially thousands of devices. While maintaining an accurate inventory would clearly have been beneficial for that effort, it’s also useful for the finance team. Asset inventories help keep costs down. You know how many software licenses you need and can easily see if you’re paying for too many, or too few. You can more accurately predict maintenance costs based on the age of hardware and plan ahead for refreshes to ensure that your systems perform acceptably over time. When employees leave, you can make sure they return all the hardware that was issued to them.
Accurate asset inventories also keep you safe from a variety of penalties and unforeseen costs.
For example, PCs used by remote workers that IT has no record of are almost certainly insecure, given that they will not have updated software and patches. There may be old, undocumented and vulnerable wireless access points scattered around your offices that could give attackers an in. Then there are the legal concerns. Frequently, companies obtain software licenses for a given number of systems, then start hiring. If you don’t regularly increase the number of seats, you could be subject to penalties. Organizations that significantly under-report the number of systems where software is installed or the features in use risk hefty fines.
Then there’s shadow and rogue IT — unauthorized computers, software and possibly internet connections brought into the organization. Maybe an employee didn’t like the computer you issued and purchased one. A work team might have decided to use free, consumer-grade software, or bought and expensed a printer or mobile hotspot. I frequently see a complete lack of tracking of equipment that came in through mergers and acquisitions.
There are countless reasons to know exactly what hardware and software your company owns, where systems reside and who has access. In fact, the Center for Internet Security publishes a list of the 18 most critical security controls. At No. 1 is “Inventory and Control of Enterprise Assets.” No. 2 is “Inventory and Control of Software Assets.”
An upside of the Log4j situation for companies without these insights is that your IT department might now have at least a partial inventory. Build on that.
The first step is to make sure the list is complete. There are asset discovery and inventory software and services, including free options, that can help catalog your hardware, including mobile and Internet of Things devices like sensors; operating systems in use; and applications, including cloud-based software, along with versions and license information. Some tools will even track SaaS and services contracts and consumables, such as mice and keyboards.
Assembling this info can be painful and time-consuming. If you need help, talk to your managed service provider or a consultant that specializes in asset discovery and inventory. Store all the information you collect in a central repository that’s easily accessible in a crisis like the Log4j event.
Once you have an inventory, figure out how to keep it current. Servers come and go. New software is loaded. SaaS providers roll out updates. Employees leave and turn in their smartphones. You need to track these changes.
Then, finance can start mining that repository for information that can save money, improve budgeting and avoid license violations and associated fines. Look for systems that can list useful info like an asset’s initial cost, invoice number and general ledger account and calculate depreciation based on the expected useful life and possible residual or salvage value. On the software side, before purchasing a new license for a hire, you can easily check to see whether a seat is already available.
I don’t like using the term “wake-up call” in regard to cybersecurity. Companies tend to hit the snooze button. But Log4j was a painful instigator to begin, or improve, tracking of your IT assets. Finance leaders that get behind this effort have a lot to gain.
More Resources From NetSuite
Refresh yourself on the basics of assets — their various types, classifications and the makings of an ideal asset management solution — in this thorough guide.
A strong asset management practice traces the full life cycle of your assets, from purchase to disposal. Get more detail on asset tracking and how inventory management ties in.
Create a complete list of your company’s assets — including details like the asset’s initial cost, in-service date and more — and automate depreciation with an easy-to-use solution.