What is an asset?

The idea in brief: In cybersecurity, an asset is something valuable that a business owns or anything that can be directly used to create value. This is very similar to the accounting and finance idea of an asset.

In more detail: The most common types of assets are software applications and laptops. But intellectual property and the data companies control are also considered assets.

From a cybersecurity view, there are two essential types of assets:

  1. Assets that must be configured to meet security outcomes
  2. Assets that could be impacted by a cyberattack or ransomware

This means that assets that are managed in cybersecurity include:

  1. Laptops, computers, printers, network infrastructure - these are often called "hardware assets".
  2. Finance software, word processing apps, design and marketing apps, industrial control software - these are often called "software assets".
  3. Data about customers, your order book, supply chain information - these are often called "data assets".
  4. Trade secrets, patents, R&D data - these are often called "intellectual property assets".

Shadow IT

As IT and technology services have become easier to buy using credit cards (e.g. cloud computing and SaaS services), companies have become reliant on this 'shadow IT' infrastructure for business processes.

'Shadow IT' or 'grey IT' are the IT assets that are not managed and monitored as part of its asset management processes, but the company relies on them to operate and create value.

What assets do you own?

Listing your most important assets is often the first step when using a security framework, as it allows you to set the limits of what you're going to protect. But how do you discover what assets are in your company?

You can start to understand what assets you have by looking at:

  1. Purchase orders and procurement records
  2. Logging and monitoring systems - e.g. DNS servers or Microsoft Active Directory
  3. Mobile Device Managers or device management tools - e.g. Microsoft Insight
  4. Vulnerability management platforms
  5. Feedback from your engineering or development teams
  6. A manual audit - i.e. visiting offices and looking under desks. This is time-consuming but often finds assets that people have forgotten about.

Once you have started to find the assets in your company, it is crucial to document what has been found. This can be as simple as writing on a sheet of paper or on a spreadsheet. For more complex environments, it may be necessary to use one of the database tools available.

The Guide: Cyber Security Frameworks

The Guide: CIS Security Controls v8

Related Questions

What is a data breach event?

A data breach event is one time your team’s email and password was lost as part of a data breach. For example, Jane in sales losing her password as part of the LinkedIn data breach.

This information can show that some people in your team have lost passwords in many data breaches. Whereas other team members have lost a password only once. This can help in prioritise who could pose a more significant risk to your organisation.

Continue reading... "What is a data breach event?"

What is a deceptive domain?

A deceptive domain is a domain name that is registered to deceive or confuse. They are often used in fraud and phishing attacks.

Deceptive domains typically fall into 2 main groups:

Typo-squatting is when a domain name is registered with a missing letter, added letter or where one of the letters has been replaced. For example, goog1e.com is registered as a deceptive domain against google.com. (The l is replaced with a 1, which in some fonts looks…

Continue reading... "What is a deceptive domain?"

How do you calculate the Fresh Security risk score?

At Fresh Security, we believe that people should be at the heart of security. Which is why people and their environment are the foundation of the Fresh Security risk score.

The risk score is all about people

To calculate the risk score, we first calculate the risk each person faces. The personal risk score examines each email address that a person uses. When an email address is stolen, the algorithm looks at the other data stolen in the breach…

Continue reading... "How do you calculate the Fresh Security risk score?"