Understand your cloud environment, whichsystems you have, what function they serve, what their compliance status is, what software you don’t own (or want in your network). Know what data and systems you manage, and what business need they support.
Over time, systems can grow organically, if not managed properly, making it hard to maintain an understanding of all the assets within your environment.
An unpatched system or one which is below a recommended version or even a vulnerability caused by Shadow IT, can lead to anything from a minor issue to a major incident or breach.
Maintaining control of your assets
Understanding them is fundamental to managing your risk exposure. Understanding when a system is scheduled to go out of support enables time to plan upgrades, or migration to another product. Accepting that you are running a “Legacy System” is essentially saying that you are knowingly running a system which is a risk to your business – plan ahead to avoid increasing your cyber risk exposure.
Identify what you have and what it does
This refers to both systems & services, and information. Understanding your systems and data and the effect of either becoming compromised, allows you to plan resilience and redundancy for critical services and information, all of which should be engineered with your business objectives in mind. Identify and assess vulnerabilities that represent potential risk to your business
Identify and remove unlicensed or unauthorised software from your domain; both put you at risk of a cyber breach or simply a licensing infringement. Ensure all legitimate systems are patched to that latest version or at least the last supported version. Understand the status of your data, what it is, why you have it, how it is protected and what life cycles are dictated by legislation (GDPR) or industry regulations.
Having a full and current understanding of your assets allows you to adopt the correct security and access controls, ensuring you are meeting your compliance obligations
Integrating Asset Management into your Business
This is not just a Cyber or IT thing, technology asset management should fall within the wider brief of Risk management within your organisation, which should be represented at board level. Cyber security use cases for asset management often readily relate to other risk elements like software licensing, IT configuration management, finance, and logistics. A coordinated approach which ensures that activities related to some of these other risk categories are also applied to IT and Cyber security, minimises duplication of effort and ties all of this together. Look for management applications which will automate the identification of unauthorised software, or flag applications which need to be patched or updated. Similarly, use automated solutions to examine potential misconfigurations or vulnerabilities in M365 email rules.
Know your data
Know your data, what is it, where it is stored, how is it protected, who owns it. Don’t overlook copies of that data which are held in backups or longer-term archives. Use a data classification scheme to help identify sensitive information and ensure the correct processes and protection are applied.
Decommission any systems that are no longer used or have no link to the business. Ensure the decommissioning process also deals with any service accounts or credentials that can become vulnerabilities if overlooked. Who hasn’t reviewed their Active Directory only to find orphaned and forgotten objects?
Know your People
Help your staff to understand and manage their digital footprints, in so far as it relates to or impacts your organisation Particularly senior staff with privileged accesses who are likely to be targeted for Phishing attacks. Publicly available information about your business and staff can be used to make Phishing messages very convincing.
Know your Supply Chain
What assets do third parties hold for you, physical or virtual environments, or SaaS applications which are critical to your business. Do you understand their place in your critical incident management and processes?
Joining the Dots
Ensure you understand how systems and data link back to your organisational purpose and strategy. Understand the immediate and long-term consequences if they are compromised or lost. Ensure systems managers are aligned with the owner of the corresponding business objectives and the overall business plan.
Moore Technology can assist your asset and risk management using modules within our managed cloud infrastructure, which
- identify Shadow IT and unauthorised systems,
- automate updates & patching for applications and
- identify vulnerabilities within M365 configurations.
- back up the full M365 suite, Outlook, Teams, and SharePoint