The pandemic immediately pushed a large portion of the workforce into a remote working environment and for many, this relatively recent transition is one that is here to stay. This has presented many challenges for IT asset management; how do I physically manage device logistics and track endpoints? What security implications are there of personal versus on-premise devices? How can I eliminate those security risks?
Information Technology Asset Management teams play a crucial function in governing compliance and security whilst keeping workers operating productively in this transition towards remote working. Device logistics arising from onboarding and offboarding, warranty, returns, security and network vulnerabilities, asset retirement, network vulnerabilities - at scale the remote working setup presents a myriad of challenges for the IT asset manager.
Security risks
There are two immediate and vital considerations for IT asset managers to prepare for when managing distributed assets - how to track devices and how to protect them.
Tracking devices
Microsoft Excel is not a strategy. Tracking devices by opening an Excel document and noting locations might work for small businesses, but is never the right choice for enterprise organizations. Not enough control, too prone to error, no traceability; the list goes on.
Employees that leave the business and new employees being onboarded means devices will be moved around, transitioning from one person to the next. Businesses must record what device is moving, its information, its past and present location and where it must be stored if not in use. This should also include stipulations regarding where it will go at the end of its use if it becomes obsolete.
Neglecting to properly track company-owned assets means IT departments manage countless pieces of data without the actual knowledge of where they are, an incredibly risky position to be in.
Device ownership: Personal vs work-issued devices
The demand for remote working assets such as PCs, laptops and external hard drives has risen dramatically because of COVID-19. During the second quarter of 2020, global shipments of PCs were up by 11.2%, for a total of 72 million units.
Remote working has naturally resulted in a mix of personal and work-issued devices being used during the average 8 to 5. Work-issued devices are the most protected and easily trackable, but will be far more expensive to purchase or relocate to employee homes. Each device should be:
- Supported and updated remotely.
- Enabled with remote access authentication (multi-factor authentication should also be considered).
- Secured by data protection and data loss prevention.
When personal and on-premise devices are mixed, it can cause risk to data protection. Employees need to be made aware of the best practices when it comes to using either personal or company-owned devices - especially if you’re accessing work items on a personal computer or vice versa.
A good rule of thumb is to simply refrain from using a work computer for personal interests alongside never saving sensitive or confidential information locally.
Unfortunately, in some circumstances, it’s impossible not to use a personal device for work. Employees may be dealing with faulty equipment or may not have been allocated a device yet, meaning they are inclined to work from home using their own hardware.
From an ITAM perspective, it’s crucial to acknowledge this eventuality and prepare for it. For example, some license agreements may require software only to be deployed on company-owned devices. Territorial restrictions are also common. As always, check your license agreements before changing how licenses are deployed. If you discover issues, take steps to mitigate risks.
In 2020, some software publishers varied their terms and conditions to help businesses cope, perhaps with an expectation that this was going to be a short-term change to working practices. Now that remote work is here to stay it’s a good time to formalize license agreement addendums to ensure remote work doesn’t place you at compliance risk.
While this provides the impetus for ITAM teams to quickly and effectively deliver work-owned devices for onboarding at home, it also demands a focus on where data is being stored. If work-related information, which could include sensitive data, is being stored on personal devices, it’s more likely to be stolen or lost due to the lack of network protection or unprotected WiFi connection.
Asset disposition
Device logistics has become increasingly complex since the move to remote working. How do you dispose of assets (including hard drive destruction) when they’ve reached the end of their lifecycle? This is especially complex for those enterprise businesses that might find their remote workforce spanning international boundaries.
Asset disposition relies on accurate tracking, meaning ITAM teams need to maintain accurate records of where devices are located and where they are in their lifecycle. Importantly, this isn’t just about the end of the lifecycle either - remote working makes asset tracking more complex across the entire lifecycle.
The ITAM lifecycle starts prior to the device being ordered, and clearly, if a device is being direct-shipped to an employee’s home ITAM systems need to know that what was specified in the purchase order has actually been delivered.
The Asset lifecycle record needs to be updated on a rolling basis, as it will inform you of what needs to be decommissioned securely. At the end of the day, what you’re working towards is a secure chain of custody, one unaffected by the move to remote working.
This means having a strict data disposal policy in place. In many cases, it requires you to work with an experienced IT asset disposition services provider, one that can guarantee proper return solutions for home office devices that are no longer viable pieces of hardware.
Remote working increases the complexity around returning home-based devices as in many cases there is no open office to return the device to. This often means using courier services to return a single device which drives natural inefficiencies and security concerns. An experienced ITAD provider will be able to manage this process in consideration of:
- Local and regional laws for shipment of electronic devices, particularly if transboundary movement is required.
- Data protection requirements.
- The best way to rid old technology of any sensitive data in a compliant manner.
This is just one circumstance that you may meet as an ITAM professional dealing with remote working, but it is just as crucial to prepare for as any other. It’s also not the only security risk you may have to contend with.
Asset sustainability
While sustainability may not be top priority for ITAM managers, it should be. After the Paris Agreement was ratified in 2015, organizations have the responsibility to assure sustainability is a goal captured in every business process - including ITAM.
Sustainability within ITAM can be seen as part of a good Corporate Social Responsibility (CSR) program. It’s increasingly prevalent that green business is good business. With regards to ITAM, the stipulations of the Paris Agreement encourage businesses to “encourage companies to adopt sustainable practices and sustainable reporting” and “promote sustainable public procurement practices”.
Now, whether it’s device procurement, management or disposition, each of these processes can be done sustainably.
There’s actually been a political movement to ensure reparability of products, in contrast to the linear ‘take-make-waste’ model that’s still very much prevalent in our economy today. For example, the EU’s Green Deal provides a stipulation that EU members will “work towards strengthening the reparability of products. The aim is to embed a “right to repair” in the EU consumer and product policies by 2021.”
Furthermore, consider disposition. Again, in the ‘take-make-waste’ economic model, end-of-life IT assets will be disposed of with no recourse to recover materials or recycle components. This is a waste of valuable resources that have the potential to be reintroduced to a circular economy. This is similarly mirrored in the European Green Deal, where it states: “Once waste has been created, it needs to be transformed into high-quality resources.”
Fortunately, there are already services that exist that help make IT asset disposition a climate-friendly process. These processes have a focus on value recovery, delivering:
- Device reuse: Delivering maximum recovery value and the potential of remarketing.
- Redeployment: Cleaning, repairing and fixing to be used again, rather than replaced.
- Demanufacture: The harvesting of parts and components to be reused.
- Recycle: The harvesting of base materials to be reintroduced to new products at a high-grade of quality.
If we are to make the phrase ‘build back better’ more than a platitude, businesses need to analyze their processes to see just how they can help to develop a post-COVID sustainable economy.
For IT asset management, correctly managing assets is the be-all and end-all. But don’t forget, this includes all stages of a device’s lifecycle, with compliance considerations relevant to each one. Many people forget that end of use is just as crucial to comply with data protection legislation as any other stage. This means every ITAM professional needs to consider secure IT asset disposition for their compliance strategies. To learn more about why this matters, watch our webinar.
Why ITAD matters for ITAM
Businesses need to integrate ITAD into IT governance. This helps manage risk, control costs and enable remote work to proceed safely - even while your assets are distributed among the workforce
Our webinar explores the interactions between ITAM and ITAD, considerations for asset lifecycles and how ITAD can help with ITAM deliverables. So to learn about all this and more, simply watch our webinar. Gain access to the unique insights by clicking the button below.