How to Identify and Protect All Corporate Assets (Not Just Computers and Mobile Devices)

How to Identify and Protect All Corporate Assets (Not Just Computers and Mobile Devices)

Knowing is half the battle. That’s one piece of wisdom we learned from GI Joe. In the world of IT security, it applies throughout your program. The IT security program you developed a few years ago is probably out of date. What about Internet of Things security? Your current approach may be missing coverage for those systems.

Why the Traditional Security Focus on Computers and Mobile Device Is no Longer Enough

Five or 10 years ago, you could focus your effort on traditional IT assets such as computers and phones and cover most of your IT risk. That’s no longer the case. Here are some of the new threats that are impacting companies right now.

Smart Home Appliances

What do home devices have to do with your company’s IT risk? Think about the kitchen spaces in your office building. There may be smart appliances, TVs, and other equipment installed, which present heightened security risks.

Smart Speakers

According to TechCrunch, one-quarter of U.S. adults own a smart speaker. While most of those devices are used in the home, they may also be used in your company. Additionally, these devices may be connected to your network when employees work remotely.

Fitness Trackers and Wearable Devices

These small devices have become popular to track fitness and health. However, their network connectivity does pose some risks to your confidential data.

Smart Security Systems

Physical security systems that protect your business are usually connected to a network. As a result, your security systems are vulnerable. To illustrate this risk, note that CBS reported that a Nest camera was hacked in 2019. If a consumer product like that can be hacked, the corporate equivalent may be vulnerable as well.

Vendor-operated Systems

Vendor and outsourced service providers operating systems and other devices connected to your networks may increase security risk. Even HVAC systems pose an IT security risk. The Target security breach of 2013 involved vendors: “the initial intrusion into its systems was traced back to network credentials that were stolen from a third-party vendor… the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at several locations at Target and other top retailers.”

This isn’t an exhaustive list by any means. Companies that operate their data centers face additional security risks.

Securing Your Entire IT Landscape Step by Step

Use this guide to identify and manage your security risk exposures.

1. Review the Organization’s Security Goals and Risk Tolerance

There’s no such thing as perfect security. Instead, make informed choices about the risks you choose to accept. Before evaluating technology, review your security goals, and risk tolerance. Highly reputation-sensitive industries such as financial services, health care, and defense generally have a very low tolerance for security incidents. If you have a significant amount of customers in those industries, adjust your security risk tolerance accordingly.

2. Identify IT Assets

Your next step is to identify all the IT assets in your organization. Start with the easy-to-identify assets, meaning those listed in your asset management catalogs. This step will likely identify 80% or more of your traditional IT assets. Next, you’ll need to engage your IT team and other stakeholders to identify additional assets. Use these ideas to broaden your search:

  • New office locations: If your company has recently opened a new office or leased additional space in the same building, you may have added additional devices to your footprint.
  • BYOD (bring your own device) access logs: Many companies allow or encourage staff to bring personal devices to work. If they’re accessing your network, you may need to identify them.
  • Project teams: Check with your project management office (PMO) to find out about new technologies that may be introduced in the next few months.
  • Review your facilities: To identify relevant IT assets fully, we suggest physically walking through your offices and facilities. You might be surprised to find an old server hidden away or a stack of old laptops at the help desk.

3. Estimate the Probability of IT Security Incidents

For each IT asset that you find, estimate the probability of an IT security incident. For example, devices with a permanent hard-wired network connection may have a higher chance of being hacked. To facilitate additional analysis, assign a score for likelihood between 1 and 5 with 5 representing a high probability of an incident.

Tip: In assessing the probability and impact of incidents, give due consideration to your controls and monitoring.

4. Estimate the Impact of IT Security Incidents

Next, you need the consider the likely impact of a security incident. A hacked server would have a higher impact than a hack of most other IT assets. To facilitate additional analysis, assign a score for likelihood between 1 and 5 with 5 representing a significant impact such as system failure for one business day.

5. Analyze the Highest Risk IT Assets

Based on the above analysis, flag the IT assets with the highest impact and probability scores for additional changes. In addition, IT assets that aren’t protected by your existing identity and access management systems should also be reviewed.

6. Recommend IT Security Changes

You’ve found the problems. Now, you need to recommend improvements to address your risk. You can manage those access risks manually through periodic checks; or, you can use a software solution. As more and more IT assets are connected to your network, we recommend using a security software solution.

Conclusion: You Need an Access Management Software Solution to Keep Up
Staying current with all the systems and apps with access to your data is only going to become more difficult. In the past, you might have been able to manage with a spreadsheet and asking managers to review user access monthly. That’s no longer going to cut it. You need a solution such as Compliance Auditor instead.

Written by Nelson Cicchitto