Managing your Virtual Assets
Cyberattacks and data breaches have made many headlines in recent years and will likely continue to do so. But besides cyber security considerations, there are other reasons why you should manage your virtual assets well. The IT infrastructure required to support business operations is critical for companies of all sorts. And when a company grows, especially when it expands internationally, the complexities of virtual asset management increases. Over 70 percent of IT leaders say they have not created a formal software asset management (SAM) strategy, which means many companies lack a clear view of their virtual assets. This lack of control exposes them to an increase in vulnerability around cyberattacks, as well as wasted IT cost and risk around legal noncompliance.
Vulnerability Around Cyberattacks
According to research from IBM Security, the average company cost of a data breach is $3.9M. Almost 25 percent of cyberattacks reported are due to the vulnerability of end-of-life IT systems and software that is out of date and no longer supported with security patches.
- Arizona Beverages lost millions of dollars in sales because of a cyberattack that was attributed to many of their back-end servers running old and outdated Windows operating systems that are no longer supported. Most had not received security patches in years.
- Equifax has been ordered to pay over $650 million as settlement to their data breach which 143 million consumers were affected. The House Oversight Committee report concluded that the breach occurred due to systems and software that were old and out of date saying, “Equifax did not see the data exfiltration because the device used to monitor [the vulnerable server’s] network traffic had been inactive for 19 months due to an expired security certificate.”
As a company’s IT infrastructure grows to support its global business, it likely will translate into multiple data centres across locations, both domestic and international. It is critical to establish and implement a SAM strategy in order to manage and monitor growing virtual assets for vulnerabilities.
Wasted IT Spend
Global companies should take advantage of volume-based discounts. If a corporation has separate procurement teams by region, by default, it is already overpaying for its software. Centralising its procurement team to purchase licenses for the global corporation will allow a company to receive larger volume-based discounts in comparison to each entity purchasing individually. Make sure to carefully negotiate the license agreement terms to avoid any restrictions around where a company can install the purchased software. To further increase the discount rate, time purchases to occur during the fiscal year-end for that specific software vendor.
With the above in mind, a software asset management baseline of current virtual assets and licenses is essential prior to negotiations to understand what it is a company has and what it is using. Without doing so, a company will likely be paying for support and maintenance on licenses that it is not utilising.
Legal Non-compliance Exposure
The lack of licensing knowledge by a company’s subject matter expert is the most common skill gap of why its legal non-compliance exposure goes unnoticed. Complications with specific vendors, products and terms can still be missed by experts and need to be managed. For example:
- Vendors: Although there may be some similarities, licensing across software vendors is different. Furthermore, each vendor may define technological terms differently (e.g. Processor, Core, etc.)
- Products: Even with a single software vendor, each of their products are licensed differently (hardware based, user based, capacity based, resource based, etc.)
- Environments: Each software vendor and product has different licensing terms when it comes to where the software is installed from an environment perspective (production, test, QA, etc.) and the license requirements
- License Metric Changes: It is fairly common that software vendors will change how their products are licensed through the years; even the same product one year may be licensed differently the next year. These changes are not publicised by software vendors and go unnoticed by subject matter experts until it is too late
- Special Terms: There may be special licensing terms and restrictions that may apply to specific contracts in comparison to the standard terms and conditions
Additionally, a company could have all the tools and technology in place to manage its virtual assets, however, its non-compliance exposure is still at risk due to a lack of understanding of its contracts. Let’s say a company has acquired licenses from Microsoft historically. At large corporations, typically those purchasing the licenses, procurement, are not the same team deploying the licenses, which is typically IT. IT’s primary role is to ensure the IT environment is stable to support the business needs and therefore do not focus or care about what contractual terms were agreed to in how they can and cannot use the Microsoft products. Many fail to realise the restrictions in these agreements. For example:
- Location Restrictions: There is nothing built into the software that prevents the software from being installed in certain regions, yet there are terms and conditions in license agreements that limit where someone can install the software. If a company has purchased the software in the U.S., but deploys it globally, it may very well be violating the license agreement from the start. Here is an example of some license restriction language:
- Local Network License: The software may only be accessed or used by Authorised Users at the Installation Site or any Customer facility within ten miles.
- Country Network License: The software may only be accessed or used by Authorised Users at Customer facilities located within the country where the Installation Site is located.
- Regional Network License: The software may only be accessed or used by Authorised Users at Customer facilities located in Europe and countries in the Middle East and Africa.
Failure to actively manage software licenses often results in legal penalties for a company through the likes of over-deployed software and piracy. Additionally, without software asset management, a company is likely wasting IT spending by paying recurring support and maintenance fees on software licenses that are not in use or needed.
In conclusion, the lack of a SAM strategy and framework in place, for any company, creates exposure around cyber security vulnerabilities, wasted IT cost and legal noncompliance. These risks are further multiplied for global corporations. Those who have a SAM strategy are moving in the right direction to minimise risk and reduce cost.