YOUR IT GUY CAN’T COUNT.

YOUR IT GUY CAN’T COUNT.

Management should stop making them try.  It isn’t their job.  And even if management makes it their job, they shouldn’t be allowed to grade their own work.  An improper device count is one of the cheapest things most organizations can correct to improve their cyber security.

Step one in getting control of cybersecurity is an accurate inventory of devices, and users.   Remember for a moment that our purpose here as a non-technical executive is to have a positive impact on the security of our organization. This can be done without straining to understand the underlying technologies.

A perfect example of this is a system inventory. To the uninitiated, a basic count of every computer in the organization would seem simple, or even trivial.  To be sure, it is a laborious assignment. And it is usually the responsibility of the IT Team.  But should it be?  The IT team might be best placed to answer the question “how many computers do we have?” But there is a related, perhaps more important question they can’t answer.

“How many devices SHOULD we have?”  Knowing how many devices an organization should have is a management question.  The teams that authorize purchases and sign checks are the best placed and should be responsible for knowing how many devices were purchased.  Similarly, once an asset has entered an organization….it stands to reason it should not leave that organization without executive knowledge and approval. When you know how many devices were purchased, and how many removed, you know how many you “should have.”  Then and only then will you be able to ask the question “how many do we have?”…and know how to respond when you get a different answer.

Without knowing the inventory from this vantage point, an organization has no way of measuring theft or destruction.  Without knowing the inventory in this way, an organization has blind spots in both cybersecurity and disaster recovery.  And it is these all-too-common blind spots that lead to breaches, ransomware and data loss. 

To understand how an accurate count improves security let’s take a deeper dive into how the IT Team does their counts, and why they fail.  To lay the groundwork, circumstantially, let’s review some of the common curveballs that trip them up.

Laptops get removed from the building.  Old computers are sometimes re-purposed and set up in the garage or hidden office to do something deemed too unimportant to purchase a new device.  Underutilized computers are turned off for weeks or months at a time.   Operating systems get re-installed and device names change.  Systems blow up and aren’t replaced.  All these complications and more lead to a device count which drifts and becomes inaccurate.

Even starting from ground zero, the standard IT department will not deliver a completely accurate count.   To understand why, we must first understand how the average technician will attempt to fulfill the request for a new inventory count.    To put it bluntly, the average technician is a technologist.  They are not going to default to a hand count.  They will default to using one of a few different software packages where this kind of thing can be tracked.   These software packages fall into a few categories: RMM, EDR/MDR, AD/AAD, and documentation software.

The logical fallacy which underpins the failure of these methods comes down to this; reports generated by these methods are not a count of devices owned by the organization.   They are counts of devices which have a particular software package installed.

Automated software, no matter the type or brand, has no way of knowing the difference between a laptop that hasn’t been turned on in a month and a laptop that was decommissioned and replaced last month.  Automated software will often count a renamed device twice unless the old named device is properly removed.  Automated software has no way of differentiating between a laptop assigned as a work from home device, and one that was stolen.  Further, and more dangerous, new machines occasionally get installed without RMM or EDR software.  Most often this is due to either an automation failure or a lack of focus by the IT team during deployment.  But no matter the cause, knowing that the expected count of devices is X, and the actual count (as determined by patching software inventory) is X minus 2, identifies two machines that are likely unpatched security risks.

When building an initial inventory automated lists are not a bad place to start, but they must be reviewed with diligence and a knowledge of what has been purchased and what should be expected. No device should be allowed access to organization resources or data without the appropriate patching and security software in place. Every device on a network is a potential portal to the rest of the network. Every device with cloud or vpn access to organization data, is a threat to that data. Therefore, no device should be allowed such access without the installation and configuration of the predetermined organizational software.

It takes extreme diligence and attention to detail to verify with 100% accuracy that every device has these software packages installed. Automation fails from time to time and must be checked on an ongoing basis. Retired devices must have this software removed as part of the recycling process. Producing reports from RMM software or Active Directory will most often very from the truth and each other.

A simple way for the non-technical executive to verify this fact in their organization would be to first ask for an inventory report and then ask how it was produced. If for example it was produced with RMM software, the follow-up request should be to produce the same report from Active Directory. It will be rare for these reports to match.

As damning as this sounds it should not be taken as a condemnation of the IT department. True responsibility for keeping an inventory of such assets should fall on the people who wrote the checks to purchase the assets in the first place. Purchase orders should be used, serial numbers should be tracked, and no device should leave the organization without written approval from the appropriate executive.

Comparing various software generated inventory lists with each other, or better with the records from purchasing, is an excellent way to discover devices that are an outsized threat to the organization.

Most security software patching software and managed service providers charge by the device. An accurate inventory from purchasing can be easily compared to vendor invoices resulting in savings from unneeded licensing.   Or more importantly, it can identify unprotected machines that threaten the organization.

What we are experiencing right now is various levels of cyberwarfare. It is not reasonable to hire (either internal or external) security specialists and tell them generically to protect our people and our devices without delineating the exact list of people and devices to be protected.  Step one in getting control of cybersecurity is an accurate inventory of devices/systems and the people who use and support them. The responsibility for such an inventory begins with the executive team and cannot be abdicated.