Software Audits: Why Are We so Blasé? How Ivanti Gets You Prepared
Organisations can be audited on many fronts. Different industries have specific regulations that may prompt audits. For example:
- PCI for any organisations who handle credit card information.
- HIPAA in the USA for organisations in the healthcare industry.
- ISO 9001 for organisations looking for compliance on quality management.
While I haven’t been through these personally, I can imagine that they are all treated with the importance that they deserve. The organisations who are audited should be prepared and be able to produce any documentation required by the auditors. Certainly my wife — a financial accountant — treats audits with a high priority and has said in the past when the auditors have visited that she was able to easily provide the documentation as required.
Relating that back to the topic of this blog, why do you think organisations are so blasé about software audits? These audits have the potential to cost thousands or even millions of dollars in settlement costs alone, not to mention the time and effort it takes to prepare documentation. Yet a lot of the organisations I talk to have the view that “we just pay the settlement if/when it comes around because getting Software Asset Management right is to costly/difficult”.
I’m not here to try and convince you that Software Asset Management is easy. It’s not, but I will explore three points that in my opinion demonstrates why Software Asset Management should be given a higher priority by organisations.
In the last 18 months since I’ve worked at Ivanti I’ve learnt a lot about the importance of some basic cyber security measures that go a long way to preventing ransomware, hacking and security breaches. The first and seemingly obvious lesson was to stop using an account on my PC with local administrative rights. This will stop a lot of ransomware from being able to run if you accidentally click on something you shouldn’t. An added benefit is that if your users don’t have local administrative rights they can’t install software that they’ve found online which may well need to be licensed.
The Australian Signals Directorate (ASD) lists "minimising administrative privileges" in their top four strategies to mitigate cyber intrusions. Two of the other strategies are OS patching and application patching. This is where Software Asset Management plays an important role. You can’t realistically patch OS and applications when you don’t know what software you have in your environment. You need Software Asset Management to provide a catalogue of the software installed in your environment so you can report on the associated patch levels and ultimately maintain compliance.
An organisation's reputation is everything. Without a solid reputation, your customers will go elsewhere. The reason I link reputation with this topic is (as I said earlier) because if you don’t know what software you have in your environment, you can’t be sure of your patch compliance levels and a breach will have a huge effect on your organisation's reputation.
A good example of this is the Equifax breach that occurred in May 2017 (Discovered in July 2017), which was a result of a software vulnerability that had been not been patched, despite the patch being available a week after it was identified in March 2017. Time reported that Equifax had lost four billion dollars (so far) because of this breach.
An ITAM Review article explored this topic recently asking a number of industry experts (including our own director of ITAM Phil Merson) for their views. The consensus was if Equifax had leveraged Software Asset Management data, they’d have had more visibility over what software was in their environment and, in my opinion, would have been able to react quicker to prevent the breach.
Another element that must now be considered is the Data Breach Notification laws which came into effect in Australia earlier this year and the GDPR law coming into effect on May 25 this year in the EU (and yes this may impact Australian businesses). Both laws mean that organisations may be required to notify the public about data breaches which could have significant impacts on reputation. This adds more weight to the argument as to why Software Asset Management can’t be considered too costly or difficult and why we need to think beyond at the wider implications of not investing in Software Asset Management .
- The average software audit can take 7.13 months to complete and consume 194.15 hours of the IT department’s time.
- an ITAM Review survey showed that 76.4 percent of organisations admit to over licensing because they fear audits.
- Organizations can cut spending on software by as much as 30 percent by optimizing application configuration, recycling software licenses, and by using SAM tools.
You have probably seen those statistics before, but I think they are worth repeating. Demonstrating ROI for Software Asset Management is certainly a challenge up front. Your best bet is to be realistic. At the end of the day you won’t know the full ROI until all the policies, processes and tools are in place and you’ve been able to reclaim licences, renegotiate contracts with vendors and stop them in their tracks when they knock on your door. A customer who’s on the journey of choosing a Software Asset Management tool recently said they are estimating a 10 percent saving in software spend in their business case which to me is realistic. I’m sure they’ll get greater savings but that’s difficult to quantify.