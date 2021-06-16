Last week, we examined why many of the world's most popular cybersecurity frameworks have controls related to the inventory of your assets, focusing on the company's hardware. This week we focus on the software assets and why you need a complete list of your software.

Taking stock – identifying all the software in your environment

As more organisations make investments around digital innovation to improve their productivity, new applications are being implemented faster. The challenge is that many go into production with less-than-ideal security in place. The guidelines related to the inventory controls call for a detailed software inventory for two main reasons: 1) only authorised software is installed and is allowed to be executed; 2) unauthorised software can be found and prevented from being executed and, more importantly, prevented from being installed in the first place.

The primary driver for this control is that attackers scan target organisations looking for vulnerable software to exploit. The central defence of this type of attack is uncertainty that your software applications are kept updated with the latest patches from the software developer. Without the required inventory, you will not know what patches and updates need to be applied. For example, there have been instances where a user running an unsupported browser with known vulnerabilities goes to a fake e-commerce website with malware that exploits the browser's vulnerabilities and backdoor programmes. If connected to the company network, this type of malware can get into the entire network.

Company-issued hardware vs BYOD

Does your company provide desktops, laptops and mobile phones for your team, or do you allow the use of personal devices? There is more control over the software used in your company. More importantly, you can also control what can be installed on the users' devices because they are property of the business and fall under existing IT policies that we hope your company/organisation has in force. Do you allow users to bring their own device (BYOD)? This opens significant risks for attacks. Unless you implement systems to manage and monitor the software used on those devices, the users and their family members are free to install what they want. In this pandemic, the work from home protocols have additional implications. Working outside of the office increases risks exponentially because of filtering incoming traffic and searching for malware at a user's home office. Other BYOD risks include potential data loss to unapproved software; the user could exit the company leaving with critical data.

Can you confidently answer these questions?

Are users transferring company data to an unmanaged application?

Are users accessing company data on their personal device?

How do you know when a new application for the company is onboarded?

With a complete inventory of software allowed to run in the organisation, you now can use speciality tools to block the execution of unauthorised software. You also can remove all unauthorised applications from your users' devices, amongst other protective measures.

Next week we look at why you should consider enabling the most secure configuration of the software and devices you have or “lock shop”.

Christopher Reckord is CEO of Managed IT services provider tTech Limited. Trevor Forrest is founder and CEO of 876 Technology Solutions. Collectively, they have approximately 80 years of experience helping organisations of varying sizes procure and implement information technology solutions and transform digitally.