In Part 1 of this series, we discussed how to effectively map the hardware your organization uses to help you identify physical and digital vulnerabilities. Still, hardware is only important because of the programs that run on it. That’s why the second key area to map is software. While software is a form of data, since it manipulates other data, auditors should treat it as its own category in the risk assessment process. (We’ll talk about other types of data in our next installment.)
You should be able to answer the following questions about your software:
What is the program or application and what devices is it installed on?
It’s not enough to have the name of the software. You also need to have the build or version number. If there is an activation key for the software, record that also. Software installed from physical media or downloaded directly from the Cloud may require such keys to activate it.
Remember that most software installations are intended for a single device or user. Today, most software is very “smart” about denying multiple installations. Don’t try to circumvent the terms of your licensing agreement!
This brings us to the next question …
Is it licensed?
You should be able to produce an appropriate license for every piece of software installed on your system. Finding these licenses can be problematic, however, especially for older applications. More than one business has found itself paying for new licenses simply because it lacked proof of prior, legitimate purchases.
Also, be sure that your licensing agreement is for commercial use. For example, I know of a company that thought it got a “great deal” on word processor software, only to find that the licenses were for use only by educational institutions. If you find a price that seems to be too good to be true, it probably is.
Regulators don’t ask for proof of software licensure just to be annoying. Installing bootleg or counterfeit software on your system can introduce significant vulnerabilities that legitimate copies don’t have. Be cautious about “freeware,” too. While these programs can be very helpful – especially for businesses with a limited IT budget – they can also be a route for malware. Even if the developer is honest, freeware often appears on multiple download sites. Some of these sites are key “waterholes” for bad actors.
Is it still being used?
Take a look at your computer desktop. Do you see icons for programs you haven’t used in forever? If so, you’re not alone. Users and system administrators alike often overlook the need to uninstall outdated or unneeded software, especially today when large volumes of computer memory are relatively inexpensive. While there are apps in most operating systems to help you identify under-used icons, applying human intelligence to this weeding process is the best strategy.
A second, related question is, “Is it being used consistently throughout a department or the company?” Supporting multiple brands or versions of software applications can make cybersecurity more difficult. Employees may want to stick with the ones they’re familiar with, but different versions may have distinct cyber vulnerabilities and respond unpredictably to updates or to new hardware and software integrations. Whenever feasible, be consistent.
If it’s an older program, does the developer still support it?
While most software developers try to support older versions for a reasonable period, they must draw the line somewhere. Fortunately, many companies make public announcements when they plan to stop supporting a particular program or version of one. Some even notify users directly, especially enterprise clients. Once vendors no longer support a program, the chances of it being vulnerable to current cyber threats become much higher.
What is being done to maintain it?
Software maintenance usually takes the form of updates and patches. Developers sometimes use these terms interchangeably. Generally speaking, though, an update introduces new functionalities while a patch fixes a known issue.
Of course, updates sometimes introduce new bugs. For that reason, many IT departments like to test updates before approving their general distribution. There are also reputable online sites that can warn IT professionals of known issues.
Another thing to keep in mind, just because updates are available doesn’t necessarily mean they’re being installed. This is especially true when employees are individually responsible for checking for and/or installing updates. Updates often take time to run. They also may require multiple restarts to install properly. The temptation to click the “Remind me later” button can be overwhelming for busy employees.
Even if you configure your system to find and download updates automatically, they often don’t install until users shut down and restart their computers. Many companies used to require employees to shut down their systems at the end of the day to accommodate updating. But with so many employees working remotely, this essential maintenance may not be taking place as often.
Consider the Source
Finally, as you review the software used by your team, consider the source of these programs. Off-the-shelf solutions usually have predictable reliability. After all, a company that puts out “buggy” software usually doesn’t stay in business long. (Stop laughing; I know who you’re thinking of!) We’ve already talked about the risks of freeware. For proprietary software (either developed or significantly modified in-house), be sure to have a rigorous application development protocol in place. Both full-time developers and any freelancers you employ need to understand and adhere to this protocol. That way, you’ll know the provenance of the applications you introduce into your system.
Be sure to join us next week for Part 3 of this series, when we’ll look at mapping other types of data assets. And for more cybersecurity tips, check out this article, Cybersecurity DOs & DON’Ts for 2022. Stay secure!