Compliance is a daunting topic. We are all very aware of the punitive fines which can come from an organisation not being compliant. There are some really simple reasons why companies fall down at such a very well known issue. So here they are spelled out so you and your organisation don’t fall victim to a whopping fine or worse - a public data or service mishap.
The statistics come from Nlyte’s independently delivered survey of Technology Asset Management (TAM).
1. Lack of ownership
Although everyone might know that an audit will happen it might not be so simple to know who the responsibility falls on to prepare for it. This is due to lack of communication and team members perhaps sometimes wanting to bury their heads in the sand when it comes to what can be a big, inglorious job. Unfortunately, ‘I didn’t know I had to do it’ won’t cut it with auditors or the bosses when they get whacked with a slap on the wrist. Coupled with people often not wanting to take ownership they feel as though if they officially are in charge then they will be the one culpable if the hated project is caught out. What really brings home the message is that only 10 per cent of IT operations believe that all assets are detectable and monitored. This level of hidden threat might result in employees not wanting to be responsible and to fix the challenge, but ultimately the organisation is responsible so must take ownership of such issues in a mature fashion.
2. Complacent with existing technology
If your old tech is compliant, secure, and well-maintained, then great! However, this can be a false sense of security as any new technologies the organisation has acquired all need to have been managed into the asset, compliance, and cyber-hygiene programme. All assets must be compliant with regulations like data protection, and likely GDPR as well for European and global firms, and there should be records on previous audits and what new assets have since been acquired.
Another pothole where organisations trip up is that sometimes they might purchase a discovery solution which they haven’t kept up regular use of and then new technology assets coming in subsequently have not been checked off. When the audit comes in they find out they are not up to date, they don’t have the latest technology updates, and they don’t have the information necessary to show true compliance with licensing or with regulation.
3. Lack of transparency over all assets
Using inaccurate processes can leave organisations in a mess when it comes to knowing what assets are connected. This lack of transparency can lead auditors to rip their hair out in frustration! 87 per cent of organisations believe only 10 per cent or more assets are in their change management database. This means organisations are aware that they are not tracking or managing their assets properly. This raises a big red flag to auditors as they can see that the company does not have a handle on the right information when questioned. All the new assets and devices which are being connected to the network causes a trouble if the business is not sure about its licensing or security management.
4. Belief there is no real risk
Often there can be a belief that there is no real risk. There can be a train of thought along the lines of ‘we are too small, they won’t come to us’ or ‘we have a great relationship with our software vendors’. Unfortunately, these are the deadly thoughts of compliance, as there is nothing stopping auditors turning up at your doorstep at any point. Only 13 per cent of Financial Officers indicate they have emerged unscathed from an audit meaning that most, when audited, must re-licence, get fined, get reprimanded, and damage is done. It doesn’t matter the size, relationship or organisation - there is always a risk, so there needs to be a programme in place to protect the organisation and yourself - and indeed, your customers from harm.
5. Not recognising the exposure other than desktops
This is a pretty common issue. A lot of organisations often have multiple processes and technology to manage their desktops and have control over the risks present. However, they don’t notice or recognise the risks outside of desktop devices. For example connected medical devices and who has access to them in a busy hospital. Servers in the data centre are another pitfall for compliance. They pose a huge risk as people can deploy instances of databases or applications for major software provider when they want to run an instance or create a development environment. This can riddle organisations with unlicensed compliance holes cause the wheels to come off the organisation's compliance situation.
As we know, procrastination is a task-killer within any business. It is amplified when dealing with busy people such as in the IT operations, finance and security departments, which all have a role to play in compliance, but a fiendishly demanding regular day-job. Compliance is often to be found at the bottom of their to-do list and so easily slips under the radar for long periods of time. However, this attitude is devastating, especially when questions are asked of the CFO or CIO by large vendors or regulators. A couple of investigative angles quickly unveils the burying of compliance tasks. The bottom line is that compliance has not been set a priority so will heads roll and some very impactful ramifications will happen as a consequence. For example 38 per cent saw responsible people reprimanded and 15 per cent faced legal action in this situation.
7. Too much noise - not enough signal
The final reason is just there is just too much noise. This can be on the network itself: The discovery solution is causing too much traffic or the organisation is collecting too much information from an ineffective solution. Ultimately, an organisation needs a solution which works for them and is customisable to its working style. Technology Asset Management can assist with all issues above, even with procrastination by sending alerts to the appropriate individuals at the right schedule. TAM can encapsulate not only desktops but servers and all kinds of connected devices, which ensures all assets are captured and compliant in real-time.
Keeping organisations compliant is a vital step to ensure the company and employees succeed without the waste of time, budget, and paperwork of unnecessarily tedious audits. TAM can stop compliance blowing up and save not only money but potentially jobs and reputations, so it’s worth investing in a reliable reputable TAM solution and ensuring the organisation manages their technology assets as smartly as possible.
Mark Gaydos, CMO, Nlyte Software