Why Partnering with IT on Asset Management Is a Crucial Aspect of Cyber Hygiene

By: | December 28, 2022

Bala Larson is Head of Client Experience at Beazley. She joined Beazley in 2007 as a middle-market specialty lines underwriter. She currently manages the company’s Northwest region while also underwriting strategic large accounts for the region’s top broker partners. Bala is based in San Francisco.

If you wanted to secure your house, would you just lock the doors and forget about the open windows?

Time and time again, organizations do just that with their cyber risk management, discovering too late that they have failed to protect assets that they were unaware existed. External threats like data exfiltration often result from failures to focus on some of the building blocks of internal cyber hygiene.

Proper asset management all starts with understanding what assets you have. Companies need to have an inventory of their assets so they can properly secure them. They may perceive their systems to be protected, but they don’t necessarily always have the knowledge to back that up. Cyber asset management can help them really understand their systems, and to make informed longer-term decisions.

There Are Several Key Tools That Should Be Part of Every Organization’s Asset Management Inventory System

First and foremost, your organization needs an asset discovery tool that continuously maps devices on your internal network. The “continuously” piece is important because you don’t want an approach that anchors your organization to a fixed period of time.

Once you’ve collected the information, putting it into an up-to-date asset database helps to keep track of historical changes. And, finally, an up-to-date configuration management database (or CMDB) is an important reference point for the team.

Endpoint detection and response (EDR) can also help organizations gain visibility into device assets they have and can help detect anomalous activities and automatically respond. The selling point of extended detection and response (XDR) is that it goes beyond devices to include the cloud, identities (user accounts) and extended functionalities.

Due to the fact that so many organizations struggle with proper asset management, forward-thinking EDR providers are implementing features to close the gap. These will get you most of the way there, but there could be gaps in functionality that organizations are not aware of.

You Can’t Always Solve Everything with a Good Cybersecurity Budget

It’s important to bear in mind that asset management is one part of a series of controls; it supports other controls like deployment of security tools and monitoring capabilities, but this is just the first step. We recommend using an asset management tool, but there’s no reason to spend your whole security budget on the “best” one.

Asset management often falls under an IT-related budget rather than cybersecurity, and this can be tricky. If inventory is handled by IT, the cybersecurity team must live with the consequences of the IT budget limitations regardless of the cyber budget.

The “stick” for having an asset management system, from IT’s perspective, is that without one, you might end up oversubscribed to product licenses. This is a good conversation starter between IT and the cyber team: Evaluate what you have, what condition it’s in and where it has a benefit for both departments.

What Happens When Companies Fail to Appropriately Manage Their Assets?

Our recent Risk & Resilience research revealed that, although cyber remains the leading technology risk for business leaders, there is also a worrying degree of complacency around cyber risk management. Companies are not as well prepared as they would like to believe themselves to be. We see this particularly when it comes to asset management.

Deficient asset management practices can certainly expose an organization to a system infiltration. As more and more non-IT employees are authorized to create new IT assets and servers, a lack of visibility over these new assets may allow for weak security practices or configurations.

Both software vulnerability and remote desktop protocol (RDP) can also be tied to asset management problems in cases where organizations are not aware of assets or are not monitoring configuration properly.

There Are Larger Considerations for Organizations

Good asset management is good governance, and it needs to be built into a broader cyber strategy and included in business decision-making. Organizations that fail to pay sufficient attention to asset management inherently expose themselves to cyber breaches that result in higher costs and more liability.

To learn more about asset management and best practices for organizations, check out Beazley’s recent Cyber Services Snapshot on the topic, which can be found here. &