Best Practices for IT Asset Management and the remote workforce – Part 1
The speed and breadth of the Coronavirus pandemic have caught pretty much everyone off guard. The result across both the private and public sectors is that employees are being sent home as fast as possible (and with good reason), but the issue is that nearly all these businesses are not infrastructured to manage a remote workforce from an IT or process perspective. Haste makes waste, and there is a lot of haste out there.
Visibility into the IT estate is important under normal circumstances, and even more so when a company’s critical infrastructure suddenly (very suddenly) shifts to an unsecured and distributed model. Continuity is a core requirement to any process-oriented business, and the enabler of that business continuity is a stable, predictable and secure IT environment. That, unfortunately, is not happening, and the truly annoying thing is that hackers and other nefarious players are going to jump all over this. The opportunity for further disruption is simply too ripe to pass up, since a distributed workforce without proper security and management protocols in place will always have a higher risk profile.
In the healthcare industry alone, one recent study found over 63% of remote laptops were storing data locally (non-secured), rather than relying on secured VPNs. And this was done before the current pandemic hit, so there’s a good chance that number is probably significantly higher now. This means we have a higher percentage of unsecured laptops in the healthcare industry during a pandemic. What could possibly go wrong? And this isn’t even the scary part. This is happening everywhere, all at once, across multiple industries.
This is probably a worst-case scenario. Under ideal circumstances your business has a continuity plan that is based on ITAM best practices, which means as your employees (or students, for example) head to the relative safety of their homes and try to continue with some semblance of normality, the IT assets they are taking with them are secured, and accounted for in your IT Asset Management system, regardless of what applications are in play. This is probably an outlier scenario, which with any luck can move to the center of the bell curve once companies start to understand the critical nature of controlling IT assets during volatile times.
Assuming that either a) you’re sending people home with the right infrastructure to keep working, or b) they’re getting ready to take their equipment home anyway, there are certain best practices that will make your life significantly easier in the long run. These are:
Track – this equipment is not inexpensive to begin with, and has probably not been depreciated. Your assets should not walk out the door unchecked. Add tracking codes to every device, and associate those codes with both the user and the cost center to which they are assigned.
Secure – now that your assets are out in the wild, its imperative that access to your core systems is done securely. Check then double-check your firewalls, force people to change their passwords (Inconvenient? Boohoo, change it anyway), basically, take your security game up as far and as fast as you can, because it’s chaos out there, and it’s a great time to exploit vulnerabilities.
Focus – What’s more important, the PC or what’s on it? Nearly all hardware is effectively a commodity, but the data they contain includes intellectual property, trade secrets, customer information, personal data, essentially things you definitely do not want running around unsecured. This does not refer to the physical securing of the asset, but the legal securing of the data on the asset. Make sure your employees are aware of the intrinsic value of what’s on their device, and the risk associated with any compromise of that data.
Control – “Dad, can I borrow your laptop to download a new game?” With a company asset? Pretty sure the answer to that is a resounding no. There are a lot of things that up to this point have been taken for granted that no longer work in the new reality we all face. Of course, letting your spouse or child using work assets for non-work was a bad idea, even before all this shelter-in-place stuff started. The other consideration is letting employees or students use equipment on public wifi networks. Those networks are getting worked a lot more heavily now, which means more implied risk, which is frankly pretty easy to avoid. If it’s important, do it at home or on a secured network.
Behavior – A good rule of thumb is to assume your boss can see everything you type, every site you visit, and anything you download. As this work-remote thing extends out to weeks and possibly months, behavior that was pretty tightly controlled before is likely to become more lax. This is where IT needs to start paying more attention since breaches and threats are more likely to come from a less secured environment. Make sure your employees have good data hygiene habits (the data equivalent of washing your hands for 20 seconds), with the keyword being a habit.
Personal devices – Some people keep separate mobile devices for work and personal use, but most get tired of it pretty quickly and tend to default to their personal one. The fact that it’s particularly easy to set up a work email on a personal phone increases the risk profile, because who knows what else your employees do on their own time. Even if people are mindful of what they’re using, we’re entering a phase where everyone’s behavior is being forced in new directions, so it pays to be extra vigilant. Plus, as mentioned earlier, there is a significant difference between the hardware and the data that resides on it. It may be a personal phone, but if it’s used to download work email, that’s company data.
All of this is complicated and requires a new way of thinking both at the enterprise and employee level. The bad news is this is going to go on for an indeterminate time, and there are likely to be more twists and turns which will catch us off guard. The good news is there is a strong play in place to safeguard assets and the processes that rely on them. If you don’t have an ITAM strategy in place, you need to get one, and pretty much right now.