If you’ve done any reading at all about cyber security for small businesses, you’ll have realised that this advice always includes setting strong passwords, setting up multi-factor authentication… and creating an inventory of your assets.
This is because an asset inventory really matters. Unless you know exactly what you need to protect, you can’t do much to defend it.
There are two different types of assets that people talk about: the physical IT assets, and your information assets. We’re going to focus on the physical assets in this post, and come back to information assets another time.
Why create an asset inventory?
Think it’s not worth your time? You’d be surprised how many assets you already have, and if you plan to grow your company, the number is going to expand quickly. It will be easier to get tracking systems in place now than trying to play catchup later.
If you’re planning to gain a security certification for your business, an up-to-date and accurate inventory is a baseline requirement.
Creating an asset inventory
If you don’t have an inventory of your IT hardware assets at the moment, the first thing to do is to take stock of the things you know about, making a list. So that you don’t have to go round and look at everything again, why not make a note of the details of each item as you go. This can include; what it is, manufacturer, model name and number, serial number and the person (or department) who uses it, for what and where, and the date that you updated the list with these details.
Your list doesn’t need to be held in a purpose-built application, at least initially. While these applications can offer useful extra features to help you manage your asset inventory, a simple list, probably in a spreadsheet, will be enough to start with.
Remember to include desktops, laptops, monitors, mobiles, printers, any external devices attached to each computer, routers and so on. Don’t forget anything that’s not currently in use, but is stored under a desk or in a drawer.
Future-you will be grateful if you also document how old each device is, any maintenance schedule, who you bought it from, what it cost, and where you buy any consumables for it.
Adding to your inventory
What about things you don’t know about? Do your employees bring in their own devices and connect them to your network? Think about their mobile phones, smart watches or their laptops (if you have a BYOD policy). Don’t forget IT kit used by remote workers, whether they work in one home location, or travel between customer locations.
And then there are the things that might be in your building (office, factory, workshop, whatever it is) that are internet-enabled but not what people might typically think of as computers.
These might be sensors in your machinery setup that communicate information about the status of your processes or of the machinery to a central collection point. Or maybe you have an Alexa device, or CCTV.
Are you working in a smart building? That is, can you (or someone else) control the door, the lighting or the heating via a smartphone app? If so, add those to your list too.
Your asset inventory: next steps
Your hardware asset inventory will help you keep track of the assets (who is using them, and where), service schedules, age and maintenance tracking (so you can work out whether it is better to repair or replace). Warranty expiry dates as well, help your accountant and anyone responsible for sourcing consumables (which can vary by manufacturer), so store it safely, and update it regularly.
Part of the update process will be event-driven: your new employee needs a phone and laptop; add these assets to the asset list. Someone leaves, so you reassign their kit and update the asset list.
However, you may also need to look for (and then manage) unauthorised devices connecting to your network; the NCSC has guidance on how to go about asset discovery.
If you identify hardware that you no longer need or use, consider cleaning the device, securely handling the data stored on it, and either storing it for future use, or dispose of it securely.
Of course, this list is incomplete: the next step will be to inventory all the software and data assets used in your organisation. We’ll make that the subject of another blog post in the future.
Would you like more help and advice on cyber security for your business? Just give the Click and Protect team a call on 0113 733 6230, or contact us by email.