IT Briefcase Exclusive Interview: What the Recent China Supply Chain Hack Tells Us about IT Asset Inventory

Featured interview with Alan Lopez, senior director of product marketing at Flexera

In this discussion with Alan Lopez, senior director of product marketing at Flexera, we learn how the recent supply chain hacks from China will impact the IT Asset Inventory industry moving forward.

• Q. Based on this hardware attack, what should companies do?

A. What companies do, and how quickly they do it, is directly related to what information they have. When a big hack hits the headlines, everyone jumps into action to answer a flurry of burning questions that all boil down to one thing: Are you exposed? Company executives want to know, the press wants to know, and your customers want to know. But, it can be very difficult to get that answer unless you have all the information you need about every IT asset that’s in-use across your enterprise. You may have multiple facilities dispersed across the country or even the world, multiple departments and divisions, and different people who manage inventories. In situations like this, the only way through the chaos is getting a picture of what you have, and then making decisions about what actions to take. Moving as quickly as possible through the process will help mitigate the damage.

• Q. What information should companies be reviewing?

A. We see three areas that can help guide organizations during a hardware supply chain hack.

The first question is, “Which of our assets are vulnerable to the hack?” To get at that, you’ve got to have a reliable inventory that is frequently refreshed with automated hardware discovery agents. Then the data has to be normalized and housed in a central data warehouse to make it usable for analysis. It has to contain model numbers, model specifics and lineage data so you can accurately identify compromised equipment and assess your exposure.

After the chaos and questions about exposure, all of the attention quickly turns to remediation. So, when planning to replace exposed hardware, how do you know that the new hardware doesn’t have the same problem? How do you know that it is compatible with your existing systems? One risk in rapid fixes is that they break other things in the process. It’s important to consider more than just computing specs. Power consumption, heat dissipation, dimensions and operating temperature requirements can cause problems if not considered. Having access to rich information about hardware assets in the market can speed this stage up significantly.

How do you make sure you’re ready to quickly respond to the next new hardware supply chain attack? You’re going to need more detailed information about all the hardware in your asset database and a way to keep it up-to-date. For that to happen, you may need to require that your suppliers make that information available either directly to you, or in a data library that you can quickly pull from when needed. A response plan and staff trained to quickly pull and use the information are also a key part of being prepared.

• Q. What’s the impact of this supply chain hack? What’s it mean for companies moving forward?

A. Data breaches can be financially devastating. The average cost of a data breach in 2017 was $3.86 million (IBM) and large breaches can range into the hundreds of millions. The number of data breaches has also risen sharply in recent years. It’s almost four times as high as it was just five years ago (Statista). With that looming risk in mind, how can you prepare yourself to respond to supply chain hacks? There’s a parallel here to the food industry where health problems with ingredients can have catastrophic impacts on a business. That’s why in the food industry there is a lot of transparency around ingredients, date-codes and use-by dates. What if businesses required hardware suppliers to provide details on commoditized code-containing parts that were used in their products? What if you had more model and version specific information that allowed you to contain hardware problems quickly? Setting a new standard of expectations around this type and level of supplier ingredient data is what can protect businesses in the future, and help to minimize the risk.

• Q. How will this impact Software Asset Management vendors like Flexera?

A. Flexera is firmly committed to developing a platform that gives IT departments the asset transparency and intelligence needed to get ahead of security and cost challenges. We’re already well on the way with Technopedia and applications that enrich and normalize asset data. As more suppliers add to the data our research teams are already collecting, and as more businesses demand and leverage that data, IT departments across all industries will be far better armed to respond to and even prevent the consequences of security breaches coming from hardware, software, SaaS or cloud IT assets.