The importance of asset management
Asset management is critical to cybersecurity, risk management and cyber insurance.
Organisations globally have spent over $2 trillion in digital transformation. From cloud migration to Internet-of-Things and third-party connectivity, businesses are racing to increase their digital footprints and achieve better operational efficiency.
However, this digital-first approach rapidly expands an organisation’s IT estate – so much so that businesses often lose track of how many IT assets are operating within their networks. These invisible, unaccounted, and unmonitored assets are often the back door for critical cyberattacks.
In cybersecurity, you can’t secure something you can’t see or don’t know even exists. Therefore, effective asset management must be considered the foundation of any cybersecurity efforts across businesses of all types.
What is asset management in cybersecurity?
Recognising that asset management goes beyond the financial aspect and is crucial in ensuring the security and continuity of an organisation’s IT and networking activities.
An asset refers to any resource or item of value that is being protected or managed. Assets can be tangible (e.g., physical facilities, equipment, or infrastructure) or intangible (e.g., data, information, intellectual property, or brand reputation).
Think about what you are trying to protect. What does your business have that could be adversely impacted by criminals or internal staff?
Personal Identifiable Information, confidential and proprietary data, information that is secret, valuable, expensive and of use to competitors or criminal organisations.
Common examples are:
- IT systems, software, SAAS and data
- Physical facilities and infrastructure
- Intellectual property (e.g., patents, trademarks, copyrights)
- Finances and financial information
- Reputation and brand image.
- Personnel and employees, contractor, customers, suppliers or other person’s details
- Unpublished financial information
- Patents, formulas, or innovative technologies
- Customer lists (existing and prospect)
- Data entrusted to our company by external parties.
- Pricing/marketing and other undisclosed strategies
- Documents and processes explicitly marked as confidential, secret or private.
- Unpublished goals, forecasts and initiatives marked as confidential.
- Personal information like; Full name, Social Security Number / Mygov details, Date of birth, Home address and telephone number, Email address, Driver’s license number, Passport number, Financial information (e.g., bank account numbers, credit card numbers)Biometric data (e.g., fingerprints, facial recognition)
- Health information (e.g., medical records, health insurance numbers, Medicare numbers)
It is important to note that not all of the above information is required to identify an individual, but it depends on the specific context. In general, any combination of data that can be used to identify a person can be considered PII.
Effective asset management involves continuous, real-time identification and monitoring of all IT assets within both internal and external networks. This proactive approach is necessary because any device, resource, or service within an IT environment can be vulnerable to risks, making them potential targets for threat actors.
Failure to monitor and manage IT assets can lead to critical breaches that could jeopardise an organisation’s network and resources. Cybercriminals can exploit vulnerabilities in unmonitored assets and use them as a gateway to launch a more comprehensive attack on an organisation’s IT infrastructure.
Therefore, as a cybersecurity expert, it’s essential to prioritise asset management as a critical aspect of a robust cybersecurity strategy. By continuously monitoring and managing IT assets, organisations can minimise their exposure to cybersecurity threats and reduce the risk of costly data breaches.
Here are some of the critical pieces of information that should be captured in an asset register:
- Asset identification: A unique identifier should be assigned to each asset in the register to ensure it can be easily tracked.
- Asset description: A detailed description of each asset, including its make, model, serial number, and any other relevant information to help identify it.
- Asset location: The location of each asset should be recorded, including the building, room, or area where it is kept.
- Acquisition Date: The date the asset was acquired, either through purchase or transfer.
- Asset value: The value of each asset should be recorded, including its purchase price, replacement cost, or current market value.
- Location: The physical location of the asset, including the building, floor, and room number, if applicable.
- Asset classification: Information classification categorises information based on its sensitivity, confidentiality, and criticality. This could be Confidential, Secret, Internal or Publicly available.
- Maximum allowable recovery time: The maximum amount of time that an organisation can tolerate before it is fully operational again after a disruptive event or disaster.
- Impact against Confidentiality: Loss of confidentiality can occur when unauthorised persons gain access to sensitive information, such as personal or financial data. The loss impact of confidentiality breaches can include identity theft, financial fraud, or damage to an individual’s reputation.
- Impact against Integrity: Loss of integrity can occur when unauthorised persons modify or tamper with information, such as changing the contents of a document or altering financial records. The loss impact of integrity breaches can include financial losses, legal liability, or damage to an organisation’s reputation.
- Impact against Availability: Loss of availability can occur when systems or data become inaccessible or unusable, such as through denial-of-service attacks or system failures. The loss impact of availability breaches can include lost productivity, missed deadlines, or financial losses.
- Controls in place: The controls to manage the security of an asset.
- Access controls: Who can access the asset, and how is this controlled and monitored?
- Asset condition: The condition of each asset should be recorded, including its age, maintenance history, and any damage or wear and tear.
- Asset status: The status of each asset should be recorded, such as whether it is in use, in storage, or awaiting disposal.
- Asset owner: The department or individual responsible for each asset should be recorded to ensure accountability and responsibility.
- Asset maintenance schedule: The maintenance schedule of each asset should be recorded, which can include routine maintenance tasks and inspections.
- Asset disposal: The method and date of disposal for each asset should be recorded to ensure proper accounting and compliance with relevant regulations.
The value of an information security policy
Organisations without a strong asset management strategy don’t have comprehensive visibility into their IT environment. They not only lose visibility of current existing assets but might also miss tracking any new components that are connecting to the organisational network.
For instance, when pursuing virtualisation and cloud migration, a lot of new IT components might be added to the organisation’s network, whether it’s new PCs, servers, IoT and OT devices, software-defined resources, cloud databases, or even new domains. Moreover, businesses might often remove existing software or servers from their network environment. Without a comprehensive asset management plan, how will the existing security resources know it no longer needs to protect or monitor that asset?
So, with an effective asset management plan, businesses can map their existing security controls to these new assets. As new components are created, brought in, or removed from the network, their security policy will not be able to follow the ongoing IT and network operations and effectively becomes outdated and redundant.
Effective asset management enhances the security team’s ability to operate more efficiently. They clearly know which components to monitor, how to optimise security policies for different assets, and how to configure existing solutions for better security. This allows businesses to achieve more proactive results from their existing security investments, whether it’s on solutions or security professionals, thus driving their ROI.
In addition, asset management can help businesses to meet essential compliance requirements such as ISO/IEC 27001, PCI-DSS, CPS234, and NIST. Moreover, having a detailed map of the entire IT estate and aligning security controls and policies to each asset demonstrates a business’s security readiness and proactive capabilities when qualifying for cost-efficient cyber insurance plans.