Your Company’s One Asset That Can Kill It (And What Do Can Do About It)
The next time you are making a purchase at a major retailer, take a look at the cash register. The likelihood is that it has a little sticker on it with an asset number. Asset #12345678 or something like that. And, if you were to go in the back to the store manager’s office, you would find each computer has a similar asset label on it. And, whether we are talking about retailers or manufacturers or service industries, with some companies, you would find an asset label on every desk, chair, bookcase, storage cabinet, etc. Some companies are more disciplined (obsessive) about company asset management and others are less disciplined.
As you go down in company size, you will typically see less and less discipline when it comes to company asset management. To allay your concerns, we will not be recommending that you go out and buy a bunch of asset identification labels and slap them on everything in sight. (Although, you should for at least your big ticket items.) No, instead, we hope to scare the living daylights out of you. There is one asset that can kill your company. The problem is we don’t know which one specifically . . . you don’t know which one . . . no one in your firm knows which one . . . and, worse, no consultant or anyone else can ever tell you exactly which one.
To be certain, you have this problem whether your firm has $100 thousand in revenue or $100 million in revenue or $100 billion in revenue. Every firm has this problem . . . even the companies that have asset stickers on paper clips. So, if you think your firm is disciplined with asset management, you will be shocked at your firm’s vulnerability when you understand it for what it is. And, for families that own middle market companies, you have substantial wealth at risk and even your team members’ jobs are at risk. Feeling anxious or frustrated?
The asset that can kill your company is software. If you don’t believe it, just do an Internet search of how Iran’s uranium enrichment program was taken down. Software. If you don’t believe that “software asset management” — described in just a bit — is an issue, do a little research on the root cause of the massive data breach at a major U.S. credit reporting agency in the past few years. Then, consider the case of software company Ashton-Tate. It was not until after it was bankrupt it was discovered that a competitor had induced a fatal flaw into Ashton-Tate’s primary software product that doomed that company.
But, don’t think just because you’re not in the business of producing weapons-grade nuclear materials that you’re not a target. Don’t think “why me, I have a small company.” You are a target whether you realize it or not.
A few years ago, a business owner called me about doing asset protection planning because she and her company were being sued. (By the way, the time to do asset protection planning is before a claim arises . . . not after.) The pertinent issue in the case was her company and a competitor had both been able to drill into each other’s servers — corporate espionage as defined. Each had been able to poach customer lists, proprietary product information, etc.
But, it doesn’t stop there. Let’s say that your firm has some unique part or fabrication process or software. Let’s say that you even have a patent or copyright on it. Now consider a company in another country that is aware of your item. They would rather not spend money on research and development to have a similar capability. So, they drill into your vulnerability point and they get it. The likelihood is that you might never miss the non-U.S. sales they get. But, magically, they find a U.S.-based distributor and you have a new competitor who sells a similar product or service for less in your markets. They can do this for less because they don’t need to recover any R&D expense in their pricing. And, you don’t discover what is going on — like Ashton-Tate — until it is too late. Companies see these offshore attacks happening every day. This is real, this is happening, and this is why you need to sit up and pay attention.
Okay, fine. But, does your company really have a problem? At the simplest level, ask whether any Windows-based computer in your company is running the Windows XP or 2007 operating system. Neither of these operating systems are receiving (normal) support — including security updates — from their maker. If the simple stuff is a problem, just imagine what’s going on with the more complex stuff.
Most companies have no idea what software they have (in aggregate) or on which hardware any given application resides or which version of each application is installed from one piece of hardware to the next. When you add up all of the software applications that your company has — whether you realize it or not — you are likely in the dozens or even above 100.
Don’t believe it?
Let’s say that your company is fairly disciplined with those asset stickers. And, you have a comprehensive list of every physical asset. That list will have the usual suspects: desktop computers, laptop computers, tablets, and cell phones. (Right now, pull out your cell phone and count how many apps are on it.) Add to that list your mission critical equipment with application specific programs (ASPs). Maybe that includes automated sorting machines, packagers, fabricating equipment, equipment that moves items around your building, and you name it. Then, what about the products you make that have embedded software?
In the same way that you have a list of physical assets, you need a list of software assets. Step 1: from the list of physical assets, you need to identify every physical item that has software. Step 2: on physical item #1, you need to identify every application on it AND what version of each application it is. Step 3: on physical item #2 to #X, repeat Step 2. That gives you your software asset list. From that list, you will have a sense of what you have and an information security person will be able to see which walls of the castle are weakest (and which to fix first). Remember, no one will know which of your many castle walls (software assets) will be the one to provide an entry point to a bad guy.
But wait . . . it might be worse. What about your web presence? Does your website have web-based applications? It might be as simple as a sales-based app that helps a buyer determine which product to purchase. It might be a service-based app that helps a product owner determine which replacement part to buy.
Okay, you get the picture. Your software assets are a blind spot. Like the vast majority of companies, you really don’t know what you have. And, what you do have includes far more that you imagined. And, you now might have a sense that you’re vulnerable. Plugging your vulnerabilities is a process and not an event . . . an ongoing process.
So, what are you going to do about it? First, you need to create that list of what you have. Second, you need to assess their vulnerabilities. Third, you need identify a process to close those vulnerabilities. Fourth, you need to prioritize those vulnerabilities. Fifth, you need to close them. Bo says just do it.