What Is an Asset?
The idea in brief: In cybersecurity, an asset is something valuable that a business owns or anything that can be directly used to create value. This is very similar to the accounting and finance idea of an asset.
In more detail: The most common types of assets are software applications and laptops. But intellectual property and the data companies control are also considered assets.
From a cybersecurity view, there are two essential types of assets:
- Assets that must be configured to meet security outcomes
- Assets that could be impacted by a cyberattack or ransomware
This means that assets that are managed in cybersecurity include:
- Laptops, computers, printers, network infrastructure - these are often called "hardware assets".
- Finance software, word processing apps, design and marketing apps, industrial control software - these are often called "software assets".
- Data about customers, your order book, supply chain information - these are often called "data assets".
- Trade secrets, patents, R&D data - these are often called "intellectual property assets".
As IT and technology services have become easier to buy using credit cards (e.g. cloud computing and SaaS services), companies have become reliant on this 'shadow IT' infrastructure for business processes.
'Shadow IT' or 'grey IT' are the IT assets that are not managed and monitored as part of its asset management processes, but the company relies on them to operate and create value.
What Assets Do You Own?
Listing your most important assets is often the first step when using a security framework, as it allows you to set the limits of what you're going to protect. But how do you discover what assets are in your company?
You can start to understand what assets you have by looking at:
- Purchase orders and procurement records
- Logging and monitoring systems - e.g. DNS servers or Microsoft Active Directory
- Mobile Device Managers or device management tools - e.g. Microsoft Insight
- Vulnerability management platforms
- Feedback from your engineering or development teams
- A manual audit - i.e. visiting offices and looking under desks. This is time-consuming but often finds assets that people have forgotten about.
Once you have started to find the assets in your company, it is crucial to document what has been found. This can be as simple as writing on a sheet of paper or on a spreadsheet. For more complex environments, it may be necessary to use one of the database tools available.