IAITAM, the International Association of IT Asset Managers, is ramping up its messaging over data breach risks. It is warning that organisations, both private and public, are failing to deal with the data breach risks from work at home. This is the second warning in two months that IAITAM has issued. It has previously warned that the use of employee owned tech made companies “sitting ducks”. Now it is ratcheting up the language because it believes organisations are taking no notice.
According to IAITAM President and CEO Dr Barbara Rembiesa: “We anticipated that things would get bad. Companies and agencies may be hoping and praying they are safe, but the work-from-home environment has created a multitude of opportunities for leaks.
“Too many organizations have left themselves wide open for attack. Understanding the pathways for access within a company’s data network is a valuable lens for businesses and agencies to avert leaking their own assets.”
What is IAITAM concerned about?
IAITAM has called out four categories of problems:
- Assets left unsecured: The biggest concern here is lowering the security on devices to allow employees to WFH. This includes the ability to load software by giving employees administrative privileges on company-owned devices. Devices could be hijacked by attackers which would allow them to pause security software and install malware. There is also concern that employees are accessing corporate networks without using a trusted VPN.
- “New” assets created: Organisations are scrambling to deliver technology to staff so that they can WFH. This means that devices are missing out steps in the hardening and verification process that IT would have carried out. In many cases, organisations are just having devices sent to employees homes which prevents IT recording the details of the asset or protecting it.
- Assets now unsecured in home environments: There is no guarantee that an employee who is WFH would have access to a VPN. A number of organisations have discovered that they lack the licences required to support users. Some security vendors extended their temporary licensing programmes but it is not a perfect solution.
- Employees unwittingly inviting in the intrusion: As users work on personal devices, IT has no control over endpoint protection or patching. It means that employees are at risk from malware in email attachments and other forms of attack. The attack can also come from shared devices in a home where employees allow other family members to use the devices.
IAITAM believes that the use of proper IT Asset Management (IATM) software would alleviate some of these problems. However, that requires putting processes in place and getting employee buy-in to protect personal devices.
Self-Service portals could be part of the solution
All of these are major challenges for any IT Asset Manager to deal with. While IAITAM believes ITAM software is the solution, for many organisations it is more complicated than that. There are other things that organisations should and could be doing.
- Create a callback mechanism so that employees can ask IT to verify the security of their devices. IT could then add additional security software including a VPN and make sure all patches are applied.
- A self-service onboarding portal would allow an employee to unbox a new device, connect it to the Internet and go to a company managed site. That site would then guide them through the setup and security of the device. It would also gather all the asset data required by the ITAM software.
- Increase the monitoring of what assets are being accessed by WFH employees. Permissions should be under constant review. As soon as an employee is furloughed, their accounts should be suspended. That means that IT and HR have to work together to protect corporate assets.
All of these will increase the security of organisations IT systems. However, there is still a need for more support for security teams to track and secure data even where it is being accessed correctly. This will help mitigate any risk of a breach.
Enterprise Times: What does this mean?
IT Asset Management is an often neglected part of IT. As organisations move towards increasing use of BYOD and cloud assets, there is a tendency to assume there are fewer assets to manage. That is a mistake and this is part of what IAITAM is trying to make organisations aware of.
The current pandemic and WFH have brought this loss of visibility of IT assets into sharp focus. The challenge now is how do organisations begin to address this? Having sent out previous warnings, IAITAM is concerned that it is seeing little effort to address the issues it has raised. It is why it has chosen to ratchet up the language around the risk of data breaches.
The question organisations need to consider is not can they survive the impact of COVID-19 but the double whammy of COVID-19 and a regulatory fine for a major data breach.