Businesses need to manage large numbers of network-connected devices, but how much control do we really have on our technology assets? Nlyte’s Mark Gaydos provides highlights from a recent Nlyte survey on how managers control assets now and what’s changing.
As organizations digitalize and their compute infrastructures grow, IT resources don’t necessarily flow to the places that need them most. Allocating manpower to ensure IT compliance adherence is one of those resources that often gets neglected. As a result, companies often find themselves guilty of data failures due to weak compliance measures. While being found as “noncompliant” isn’t a crime, it does damage public confidence in a company — Equifax is still recovering.
GDPR, HIPAA, PCI, SOX and other mandates are put in place by various agencies as checks and balances that provide best-practice guidance. When it comes to IT compliance, there are two basic areas: internal compliance for assuring adherence to an organization’s specific rules and regulations and external compliance, which adheres to the government-established laws. Then there are the “in between” internal and external mandates imposed by organizations such as the Payment Card Industry Data Security Standard (PCI DSS) that provides added security for financial transactions or the voluntary use of the Basel III framework.
Pulling IT staff away from daily tasks to address compliance issues can have its own faults. There is an internal cost associated with shifting IT functions from helpdesk responses and revenue-generating infrastructure upgrades to concentrate on documenting IT processes and procedures. Fact is, there are many other tasks that often take precedence over the daily network scans that ensure the network will make an auditor happy. The belief that compliance issues are a constant focus varies greatly from the C-Suite folks in corner offices to the cable-pulling IT staff keeping the data flowing.
Compliance Assumption Gap
Pulling information together from isolated data sources to provide the required material for audit and compliance reports can be a major obstacle for organizations to contend with. Often these data sources include everything from spreadsheets to post-it-notes, among other third-party applications across myriad workgroups.
Who is watching what, and how often? The answer to this seemingly simple question can vary greatly depending upon who you ask within a company. A new survey, titled “Technology Asset Management Global Survey: Today’s Challenges of Device Proliferation,” sheds some light into this question’s answer.
The global survey took a poll of 1,516 technology asset decision-makers within organizations employing 1,000 people or more. Of the respondents, 96 percent say that hardware and software technology asset control is a top-5 priority for the business — that is no surprise. However, what is a surprise is that almost one-third (31 percent) of those enterprises are still tracking their asset management control manually. When the IT department has limited time to conduct compliance-related tasks, this manual process is daunting and can lead to pushing compliance endeavors further down the calendar page. Thirty-five percent of C-Suite members confirmed that data is captured manually as part of an IT asset management process, but also that it’s known to be quickly out-of-date and prone to human error.
IT assets need to be monitored frequently, but the assumption rate that this occurs varies widely. The Technology Asset Management Global Survey (Survey) found that C-Suite respondents believe assets are being scanned hourly (27 percent) or daily (35 percent), yet those at the manager level are less confident (8 percent and 28 percent, respectively).
Daily network scans are important because new devices are connected quite often and undetected IT assets are compliance and security risks. When it comes to undetected devices, the Survey found:
- 28 percent of C-Suite leaders and 29 percent of managers believe that 10 percent of their assets are undetected and unprotected.
- 35 percent of C-Suite leaders and 14 percent of managers believe that 20 percent of their assets are undetected and unprotected.
- Only 24 percent of asset managers believe that 80 to 100 percent of their devices had the latest security software and firmware patches.
- 33 percent of IT devices are infrequently connected to the network, according to asset managers.
Simply put, missed network scanning equates to a greater vulnerability, which inevitably leads to compliance issues. This is confirmed by 15 percent of organizations reporting that somewhere between 80 and 100 percent of devices are not proactively managed — an open invitation for risk.
Although most IT devices are up to date (on average, 67 percent have the latest security software and firmware patches), less than half (49 percent) have a solution that scans and validates all devices in order to provide an audit trail for security patch management. In addition, the Survey found that almost half (48 percent) of devices are not proactively managed at all. While that 67 percent figure having the latest software and firmware is better than average, it validates that only one-third of IT assets controlling such data as personal finance, health care and social security numbers are at risk, outdated or unmatched.
Conclusion
IT asset scans and recordkeeping cannot be managed manually if organizations wish to be in compliance with imposed mandates and regulations. Even if barcode technology is used, once a section is finished and the auditing employee moves on, somebody could come in right behind and install or remove a device. Achieving IT compliance must be a systematic and automated process that continuously identifies, monitors and audits the full network to achieve and maintain adherence.
With data moving to the cloud, into virtual realms and pushed to the edges of the network, the IT infrastructure is far too vast to know what is — and is not — in compliance by glancing at a spreadsheet. Using a technology asset management tool to help simplify the adherence process is a good idea. As the “Survey says,” over 1,500 large organizations believe they are most likely to gain business efficiency (41 percent), overall cost savings (40 percent) and data/corporate security (39 percent) benefits by using a TAM solution.