The Expert Podcast

So what is a cyber asset inventory, and how does it affect cyber liability insurance and cyber security? Well, in any organization or in any structure, there are many devices that are cyber vectors. For example, your mobile device, right? It is a cyberdevice. Even things like VoIP phones that you may have in your organization, all the computers you see—all the computers behind me—are all devices. Even things like routers, switches, and modems—any device that connects to the internet is a cyber device. Now, why is it important to consider those and have an asset inventory when it comes to cyber security? Any of these devices is a potential vector for a hacker, ransomware, cyber threat, malicious software, or virus to enter your organization. For example, you may have excellent cyber protection on your computers and on your server, but if your smart thermostat does not have good cyber security, an outside hacker may be able to get into it and use it to infect the rest of your network. You might think, "Well, thermostat, why does that connect to my internet?" Well, think about it—every time that you have a new device that somehow connects to the internet to allow you to get information, you remember when you first set it up—what's your Wi-Fi password, what's your login, what are all the details for that device? An excellent example of this is televisions—your TV, your smart TV in your house. When you first install and set it up, you're all excited. The first thing you do is connect it to your router and to your Wi-Fi network, and that allows your television to get programming, shows, and scheduling—all of the things that the internet provides. The internet's great in terms of getting your devices connected, but each one of those connections is also a way that the information can go the other way. Instead of your TV, thermostat, or computer accessing the internet, the internet can also flow the other way. Now, in theory, there are supposed to be protections, so it only flows one way, but see, that's what the hackers do. That's why they call them hackers, because they hack that connection to allow their code or their virus to flow the other way.

So, first, you have to start with an asset inventory—a list of all the devices on your network. There are a few ways to do that; certainly, your IT person can do it. You can go into your Wi-Fi network or your physical network and do a census and have it list out all of the devices. Some of them you won't be able to tell from that list on your router login; it'll just have a number, a MAC number, and an IP number, and you'll have to kind of backtrace that to which device it is. You may also have to do the process of elimination—identify the ones you know first and highlight them, and then the ones that are still remaining, go find them in your organization. It's important to do that because you need to make sure each one of those devices, individually and also at an enterprise level, is protected from cyber threats. In fact, this may be a requirement for cyber liability insurance to make sure all your devices are properly protected. You also want to do updates on those devices. Most devices are going to have some type of regular update on their software, on their source code, maybe even on things like version 1.2 versus version 1.5. You want to make sure the current version is being used so that you don't have vulnerabilities or threats that can infiltrate your network and get into more sensitive devices. For example, who cares if somebody hacks into your thermostat and makes your office too hot or too cold? That's not life or death; it's earth-shattering. But if they use your thermostat to get into your server, where they can download your accounts payable and receivable, that could be a bigger problem. So, asset inventory is a very important place to start. You want to know what you're protecting because if you just protect part of your organization and leave one opening, the rest of it doesn't matter. It's kind of like having a roof over your house that you go out of your way to make sure it's secure and has one hole in it. It's not going to matter when it rains—that water is going to come in and ruin the rest of your house. You have to have your entire network protected. Good cyber security starts with an asset inventory, and then the protection goes from there, and the insurance goes from there if you have some type of cyber liability coverage.