Why poor IT asset lifecycle management is rapidly becoming a serious cyber vulnerability

Earlier this year, banking giant Morgan Stanley agreed to pay plaintiffs $60 million to settle a class-action lawsuit resulting from a pair of data breaches discovered in 2019.

While companies like Morgan Stanley find themselves under constant cyber attacks, these breaches were not from a hacker breaking into a database or an employee accidentally exposing customer information. It was simpler: Morgan Stanley threw away decommissioned servers that were not completely wiped clean, leaving customers’ personally identifiable information vulnerable.

This case is a stark example of the challenges businesses face with information technology asset management. In most cases, companies do not know much -- if anything -- about their internal and internet-enabled assets. This leaves them exposed and vulnerable to potential threats. Worse yet, this problem is growing.

Let’s look at the current state of IT Asset Management (ITAM), the challenges organizations face, and best practices they can follow to minimize risk.

What is driving this trend?

IT assets include physical and virtual technology tools from laptops and mobile phones to email and workplace productivity software. ITAM tracks these assets across their lifecycle to ensure peak performance, proper maintenance, and proper disposal.

When done correctly, ITAM can optimize efficiency, allow for better long-term planning, and reduce security risks. However, the sheer number of IT assets in every organization has continued to overgrow. Many companies leverage a mix of proprietary and employee-owned devices and assets spread across multiple data centers and locations.

The Covid-19 pandemic, and the push for more remote workers, have further distributed assets and escalated the security risks organizations face.

Moving past traditional ITAM processes

Outdated asset management processes, such as manually tracking assets on an Excel spreadsheet, are not feasible in the modern work environment. Devices may contain sensitive data as was the case with Morgan Stanley. Without real-time visibility into all details surrounding IT assets from "cradle to grave," organizations risk significant security vulnerabilities.

Some of the challenges companies face when securing IT assets include:

• Knowing where assets are at all times
• Knowing who is using them
• Ensuring data-bearing equipment has been properly managed prior to entering an e-waste program
• Maintaining OS and security updates
• Upgrading assets that have reached end of life (EOL) / end of support

Best Practices for Securing your IT Assets, and Your Enterprise

As data breaches continue to be an ongoing problem for nearly every company, organizations must remain vigilant in their data security practices.

Maintain real-time visibility into asset details: With thousands of assets in play, the days of trying to keep tabs on them with manual processes and siloed systems does not work. Companies will want to look to newer technology like a digital platform conductor (DPC) to extract information about the assets, who is using them, where they are located, and if they are in compliance with updates and security patches. 

Properly manage outdated assets: Technology changes fast, and even the best systems will eventually become obsolete. We’ll see that again soon when Windows Server 2012 reaches its end of life in October 2023. Many organizations use these servers in their environment, and they’ll be forced to upgrade or risk security vulnerabilities. Server migrations can take months to complete -- 18 months or more in some cases. A DPC shortens migration timelines and reduces the risk of business disruption during the process.

As you look at your IT assets, reduce the risk of data breaches by maintaining security updates and migrating systems that have reached end of support.

Create a Secure Process for IT Asset Disposition: Before assets enter e-waste programs, classify them as data bearing or non-data bearing. Then, use these classifications to group them by the disposal process you will use (e.g., shred onsite, wipe data and have vendor pick up, or vendor pick up and shred). Implement a clear process and checklist for both internal employees and ITAD vendors. Document each step as completed for audit trails, including details of employee, contractors and subcontractors involved, as well as certificates of destruction.

The Path Forward

ITAM is an ongoing problem for organizations, but can be tackled with the right processes in place. Businesses must move past the outdated ways of managing IT assets and realize that the situation has become more prominent than they can handle on their own. The Morgan Stanley breach and settlement show the financial pain these incidents can cause. Prepare now to manage these systems before it becomes untenable.

Image credit: madsci/depositphotos.com

Paul Deur is co-founder of ReadyWorks, a digital platform conductor (DPC), which collects and aggregates data from IT and business systems and spreadsheets, then cleans and analyzes information about the entire IT estate, including endpoints, users, applications, servers, and all their interdependencies. The company identifies risk/what needs to be upgraded, defines the rules for change, uses artificial intelligence (AI) and intelligent automation to automate and orchestrate all human and system workflows, and reports on results. ReadyWorks provides up-to-date audit trails that can be used to demonstrate security compliance.