The IT Nerd

The nation of India, the U.S. military, and banking giant Wells Fargo already have either banned TikTok app use altogether or at least on company mobile devices. Should your organization follow suit and prohibit the popular app TikTok on company and even personal phones?  Today, the International Association of IT Asset Managers (IAITAM) warned that allowing employees to use TikTok on any devices (including personal cell phones and tablets in a work-from-home context) with direct access to corporate data is “not consistent with maintaining data integrity.”

The TikTok app is taking the world by storm, with controversy brewing over whether the app’s open-ended permissions pose security risks for corporations, government agencies and other organizations particularly during a time when many employees are still working from home (WFH) due to COVID-19.

Concerns about the Chinese-owned TikTok are reminiscent of earlier security worries about Fitbit and Pokémon Go. In 2016, IAITAM called on corporations to ban the installation and use of Pokémon Go on both corporate-owned, business-only (COBO) phones/tablets and “bring your own device” (BYOD) phones/tablets with direct access to sensitive corporate information and accounts. In 2019, IAITAM advocated against Microsoft’s policy decision to let end-users buy some of their own apps and licenses through Office 365, bringing up concerns over how businesses would track IT assets to ensure compliance. Due to such criticism, the technology giant reversed its decision.

The TikTok app has been found gathering data that includes the user’s clipboard history, location and GPS data, much like the Fitbit security breaches that the Department of Defense experienced in 2018, where fitness trackers used location data to map military bases while soldiers exercised.

Dr. Barbara Rembiesa, president and CEO of IAITAM, said: “The TikTok app unnecessarily endangers data in a way that any government agency or corporation should be concerned about. Combine that with the blending of corporate and personal assets due to work-from-home conditions for employees and you have a perfect storm for sensitive data to be placed into the wrong hands.  As things stand today, allowing TikTok in or near your organization’s environment is not consistent with maintaining data integrity.”

Rembiesa continued: “Acceptable data risk needs to be ascertained prior to downloading software and such software should be managed by an IT asset manager. The risk posed by the data permissions of TikTok does not meet data security best practices.  Diligence and education on ITAM procedures are essential for businesses to implement smart digital policies and mitigate security risks.”

Since March, IAITAM has been at the forefront of work-from-home data concerns during the COVID-19 pandemic, issuing multiple warnings on “nightmare data risks”, tech headaches and challenges associated with transitioning to work from home.   

Following ITAM best practices is a roadmap for organizations to protect and get the most out of their IT assets. IAITAM offers courses and training opportunities throughout the year for agencies and businesses seeking to strengthen their cybersecurity and IT asset management.
 

As coronavirus-related work-from-home restrictions are lifted, some companies and government agencies are going to be staring down major tech woes as they try to deal with the flood of hardware and software that flowed home with workers. But the International Association of IT Asset Managers (IAITAM) encouraged organizations to also look at the process as an opportunity to put solutions in place for hardware and software.

CHALLENGE #1 – Figuring out what stays … and what goes. Many organizations have assets that just sat unused during the work-from-home period. Offices closed due to stay-home orders purchased a large amount of new hardware that will lead to stuffed tech closets. Technology depreciates rapidly. The longer an asset sits on a shelf, the less it is worth. Take stock of what you really need … and don’t need … and pare away the excess.

SOLUTION #1 – “Spring clean” your tech, be a good corporate citizen, and get a tax write-off in the process. There are several ways an organization can remove assets from their environment that does not involve destroying them or shipping them to a dump site in Asia. Charities are a major avenue right now for organizations. Many schools and children’s programs have been forced to shift to online classes. By donating unused assets to a charity/education program (that will repurpose devices for those who are in need) organizations can have an impact on society. Additionally, the value of an asset can be deducted from the tax burden of the organization and affect bottom line budgets in two ways: recouping capital expenses and reducing operational overhead. Organizations taking this route must remain diligent in their data security and data sanitization standards. In addition to charities, there are companies like PlanITROI that provide the same kind of services. 

CHALLENGE #2 – Getting all that new hardware and software back to the office.  When they were scrambling to equip work-from-home employees with needed assets to get their work done, the last thing many organizations thought about was how it would all come back to the office. End users who were sent home with corporate assets did so with the intent of being able to work remotely. Some end users took this as an opportunity to quarantine themselves with family and loved ones they are unable to see as often as they would like. While the intent is that an employee would have stayed local, there was no guarantee. As such, these mobile assets may have become significantly more mobile than initially anticipated.  Now, everything must be fully accounted for and integrated into the office environment.

SOLUTION #2 – Leverage door-to-door services for tech.  From the demands of the current working environment many organizations rose to answer the call for remote device pickup. Some highly mature ITAD service providers already had door-to-door pickup services in place before the coronavirus pandemic started. As the need for this service grew, more disposal companies followed suit, including it in their service offerings. Organizations can leverage these services to easily gather remote assets and bring them into one centralized location for tagging, identification, assessment, data protection, due diligence, etc. It does not get much easier than having all of an organization’s remote assets shipped right to the loading bay doors. 

CHALLENGE #3 – Dealing with often too-expensive tech hardware that you don’t need any more.  Organizations around the world placed an unprecedented demand on hardware technology manufacturers when the new working environment transition occurred. Stores were out of stock on many popular items, and organizations were left with purchasing whatever was available at that moment. Due to this, many organizations purchased non-standard assets that were significantly over budget and/or “over-powered” for the roles to which they were assigned. 

SOLUTION #3 – Sell now while demand is still high and supply remains low. A monumental opportunity exists for organizations to identify how to recoup expenses on excess computer purchases … and to do so as fully as possible. Companies and agencies that find a way to sell their assets back while demand is still high, stand to gain back most of their expense.  Particularly nimble and savvy organizations might even turn a profit!  Proper asset disposal will need to be practiced in order to avoid an inadvertent leak of what could be sensitive employee, company, or client data.

IAITAM President and CEO Dr. Barbara Rembiesa recently went on camera to share more about the unique opportunities available to businesses coming out of this crisis.

Just over the horizon for American businesses and government agencies is the return to the traditional office work environment. But what will companies and agencies do with the new laptops and other devices they put into employee homes in order to keep things going during state-imposed stay-at-home orders? The International Association of IT Asset Managers (IAITAM) today outlined the key steps employers need to take to protect their data and investments.

Many organizations purchased assets, licenses, service contracts, and other necessities to facilitate a work from home environment. Everything from scalable cloud architecture to increased VPN bandwidth and mobile hardware assets were all hastily purchased, with minimal consideration for how they would be integrated into IT environments.

Software vendors and related organizations (with scalability built into their licensing and service contracts) will likely be able to scale down as easily as they scaled up. Hardware, on the other hand, is a much bigger issue in an IT environment. Organizations will have quite a challenge on their hands because each one of those devices has to be handled with care to ensure that the data on them is protected and that the investment in them is not lost.

IAITAM is outlining three steps that organizations can take now: 

1. Organizations will have to identify all of the new assets now. This can be problematic if procedures were not followed on the best practices for purchasing and accepting assets. Knowing what an organization has in their environment is the first step in any asset management program. If things moved rapidly or even chaotically within the company or agency to transition to work from home, now is an opportunity to double back and ensure that the details are gathered. 
    
2. Assets need to be tracked and remote users need to understand the transition process. While work-from-home orders implied “home”, not every worker stayed home. Some chose to be with family, while others decided to visit friends or travel. This means the asset is travelling, as remote assets do. However, not every organization would have planned or accounted for that aspect in terms of security, possible use of the devices by third parties, etc. Additionally, organizations need to have an ingress plan for these remote assets. Ensuring that users know how remote assets will be collected and processed will go a long way to streamlining the transition back into the office. 
    
3. A plan should be in place now to deal with excess hardware. Redundancy in assets was necessary when working from home but after coming back into the office, that end user will no longer need a laptop for home and a computer at work. What will be done with these excess assets and how the organization will recoup costs is critical to the back-to-the-office transition being less financially burdensome. Leasing assets would have been a strong option, but some organizations have already made their purchases. As such, charity donations and resale are all better options financially than simply dumping the excess hardware. Company and agency IT asset managers will need to ensure that all devices that are leaving the organization for good are disposed in a secure fashion to avoid breaches.
   

Today, the International Association of IT Asset Managers (IAITAM) is warning that breaches of corporate and government data appear to be running at a level even higher than experts had feared going into stay-at-home orders due to COVID-19.

Last month, IAITAM repeatedly warned of “nightmare data risks” for unprepared government agencies & companies, especially as end-of-the month billing procedures were being carried out remotely. 

Based on its preliminary analysis of early published reports, IAITAM is breaking down the biggest problems into four categories:  

1. Assets left unsecure  –  An intentional decision to make devices less secure to allow for work from home (WFH) use.  One example would involve removing admin permissions so that employees can complete the task without administrator oversight. Another would be allowing the use of “unpatched” business computers that allow hackers to load malicious files with admin privileges.  In some cases, companies with high-end virtual private networks (VPNs) pre-loaded on business computers are allowing people to work from home on personal devices either with no VPN or with a lower-end virtual private network that may be less hacker resistant.
    
2. “New” assets created –  More and more reports are emerging of companies purchasing new devices or technology to account for employees working from home.  In one case reported directly to IAITAM a national health care company ordered 9,000 new laptop computers from a major online company and gave its IT department less than a week to prep the new machines and deliver them to users, who had little or no time for training and other security-related instructions. The concern:  The more corporate assets that you have, the higher risk of intrusion. Each asset becomes a doorway or entry point for a breach, particularly when it (or its user) are underprepared. IT Asset Managers help with this by providing the data necessary for corporate security teams to know what exists, where it exists, and what is on the device.
    
3. Assets now unsecure in at-home environments –  Many company devices were deployed into a WFH situation quickly, leaving little time to ensure that they would be secure via a virtual private network (VPN) or other means. Just last week, school districts in Oakland and Berkeley, California unwittingly became an accomplice in their own data breach by accidentally making Google Classroom documents public, which contained access codes and passwords for Zoom meetings, as well as student’s names and comments.  
    
4. Employees unwittingly inviting in the intrusion –  Human error allows for mistakes and creates a vulnerability (i.e. clicking on phishing emails or downloading malware). Google reported last week that it is stopping 18 million coronavirus scam-related emails every day, many of them targeting cash strapped businesses looking for loans or other capital. An internal memo from NASA on April 6^th revealed that increased cybersecurity attacks had been directed at their employees working remotely. These phishing attempts were disguised as appeals for help, disinformation campaigns or new information about COVID-19, to gain login credentials or install malicious software. This is a prime example of how an employee could unwittingly invite in an intrusion. IT Asset Managers are at the forefront of education and communication campaigns within organizations to help teach end users what they should and should not be doing.

Even companies that do not make a mistake themselves could still find themselves the victim of a coronavirus-related breach. Earlier this month, The Small Business Administration experienced a glitch with a coronavirus loan relief fund platform that publicly leaked the personally identifiable information of business owners across the nation.  

The good news is that most or all of these issues can be mitigated with proper IT asset management (ITAM). Professionals in the ITAM industry facilitate corporate asset protection. Uncovering the vulnerabilities now, and then putting an action plan into place will save companies money in the end. If companies and businesses act now, they can turn today’s crisis into tomorrow’s opportunity.

IAITAM President and CEO Dr. Barbara Rembiesa recently went on camera to share more about what companies and government agencies should be doing:

As more and more U.S. companies and government agencies send workers home to use personal smartphones, computers and tablets to do their work, the International Association of IT Asset Managers (IAITAM) has warned that many organizations are not taking proper precautions to track devices and safeguard sensitive data. Now, IAITAM is doing something about it by offering free passes to its full-day online course about how to manage mobile devices and the data they contain.
Up to 1,000 people can take the online Certified Mobile Asset Manager (CMAM) course on March 24^th and March 26^th from 9 a.m.-4 p.m. ET by registering online.  The course normally is available only at its full cost of $2,000. The only difference between the free access and the full registration is the availability of offline course materials and the CMAM exam.

IAITAM’s CMAM course prepares individuals and organizations responsible for the management of mobile devices. The course encompasses both organizational owned assets as well as BYOD (employee-owned). The CMAM course has the IAITAM Best Practice Library as its foundation and encompasses financial viability, risk mitigation, policy enforcement and lifecycle management of mobile assets.

Last week, IAITAM warned: “Many companies and government agencies have already sent employees home to work remotely in response to concerns about the coronavirus.  This week, thousands of additional employers will likely follow suit until concerns about the contagion ease.  The International Association of IT Asset Managers is warning that most employers may have rushed into making their decision without thinking through how to secure their most sensitive data.”