- May 11, 2020
- Nichole Williams
Software Gone Wild: 7 Big Software Asset Management Risks in the New Normal
As our “new normal” of working from home sets in, companies are supporting a digital transition that has been quick and broad. Your workforce is now spread across many domestic locations, and IT is still implementing unprecedented changes to the company infrastructure. That decentralization and distraction has probably led to less Software Asset Management (SAM) oversight of employees and tools.
In short, there’s more opportunity for people to run wild and their software to be uncontrolled.
There are always hidden software license management risks when it comes to using software due to the licenses agreements that govern that software. The average employee doesn't read Terms & Conditions -- everybody clicks away on the “I Accept” button when they fire up an application -- and that language is obscure even if they did.
Unless you work in Software Asset Management, you won’t understand the possible software costs and agreements that might be triggered by accepting these T&C agreements. Or even realize that you should look for them.
So what are these risks? And how does a SAM Manager manage or reduce software costs while their wild world is still churning? Let's look at the biggest challenges now facing you in software license management, data management and digital security.
- Shadow IT Gone Wild: Free software has hidden costs
- Data Gone Wild: Unapproved software stores data
- Multi-Tasking Gone Wild: Mixing business and personal
- Devices Gone Wild: BYOD needs oversight
- Cloud Gone Wild: Unchecked SaaS increases software costs
- Networks Gone Wild: Security software needs updates
- Connections Gone Wild: VPN must protect data
Summary: Your Essential Steps to Control the Wildness
Identify cost-saving opportunities to cut software and SaaS spend across your organization. For a limited time, get your copy of this brand-new April 2020 Gartner research.
1. Shadow IT Gone Wild: Free software has hidden costs
People need applications. And they often need them fast while under a deadline. (Let’s face it, when aren’t you under a deadline?)
There's always been a risk of your employees using applications without asking permission. “Shadow IT” is software that’s managed outside of the SAM team and deployed in a work capacity without your official authorization.
Software vendors are temporarily offering cloud applications for free, in an effort to help people in their new work-from-home situation, and do subtle marketing and market penetration through that goodwill effort. It’s possible that your employees are initiating more SaaS software without your approval, generally with the intent of improving their workflow.
For instance, your Inside Sales team uses the company-sponsored GoToMeetings, but they’ve wanted to try a different tool for web-based conferencing. Now Adobe has offered free access to Adobe Connect for 90 days if you sign up for a trial license.
This is a time of experiment and trial-by-fire, right? So Inside Sales starts using that free software and doesn’t think about cloud cost management or what happens when this free period times out.
Financial management. Will an employee remember the software is on their computer if they haven’t used it regularly, and are there checks in place to keep the free trial from automatically turning to a billable subscription? If they have used it regularly and are now emotionally invested in using it (successful goodwill marketing!), can your budget handle the additional costs? If you shut down the software, how will your employee get their data out of the application? (more about this next)
Give your employees a list of software that you vetted, and how to request it, to ensure they stay within your SAM policies and away from Shadow IT accidents. You might add a lockdown on people’s work computers so they can’t initiate or install without getting IT approval and the proper licensing.
2. Data Gone Wild: Unapproved software stores data
Now that your employees aren’t working face-to-face, they have to supplement work behaviors built around being in the same room.
For instance, the Development team is used to being in an office with a white board that people gather around to brainstorm. Or standing together in front of a wall, writing on stickie notes that visually build an idea.
Now that group needs a software collaboration tool which everyone can access and interactively work in. There are whiteboard tools like Miro and AWW that limit users and features at the basic tier, and expand those ranges when you move to a paid version. So the developers sign up for a freemium plan to just “get me through this one project, and then I’ll never use it again.”
The intent is good: Productivity without pause. But your company data is stored in these cloud services, untracked and out in the wild.
Data security and data propriety. Who owns the data that is entered into the application? How do you extract it, can you delete it from the vendor’s storage, and are there fees to do that? Does the software vendor have access to this data and are they allowed to keep it? GDPR has rules that specify the rights to erase data, but the vendor might have buried in their license agreement that they have the ability to hold your data, especially if they are giving you free access to their tool.
Similar to Risk #1, it’s essential for the Software Asset Management team to enforce a list of approved software and a formal request system to get it.
3. Multi-Tasking Gone Wild: Mixing business and personal
Employees are working from home -- and possibly from their sofa -- so time is more compressed with a new work-life balance. People who previously kept a firm divide between business and personal might now be tempted to use their work computer for personal tasks, and vice versa, to be efficient.
For instance, a salesperson checks their Microsoft Outlook email through an O365 webmail browser on their personal laptop, because they’re deep in a project but need to check for delivery windows for online groceries. It’s easier to multi-task from one computer. But checking email through an insecure webmail browser is a security risk. Additionally, someone in their household might discover the laptop unattended -- perhaps they’re also curious about the delivery status -- and start using it while the work email is open.
Or a web designer installs the newly free 90-day trial of Apple’s Final Cut Pro X on their work-issued laptop. Now they can play around with video clips during short breaks from a work project. However, this opens a risk for licensing issues and proprietary data when the trial runs out, as we talked about in Risk #1.
Data security and software license compliance. Employees might not be aware of company policy regarding how they access applications with sensitive information, especially people who typically handle low-risk data such as web design files. And you always want to ensure that a software license supports your user’s access points and data storage.
Employees must be trained in security policies, such as which software is allowed to be accessed on company versus personal devices. Remind them to use unique, strong passwords for each application, and to lock their computers when they walk away from them -- yep, even at home -- so accidental roommate eyes or sticky kid fingers aren’t on them. Protect the company’s documents by requiring remote storage services, such as Box or Dropbox, which you have vetted and licensed up.
4. Devices Gone Wild: BYOD needs oversight
Speaking of personal laptops… “Bring Your Own Device” is the practice of licensing your business software on an employee’s personal computer or smartphone. Basically, BYOD gives an employee a similar experience at work as they have at home, so they feel comfortable with the technology and enhance their job flexibility.
But wait... now employees are always working at home! Which means it is a bit more slippery to govern the management and licensing of those devices, because everyone is in a semi-renegade situation. An effective approach is making sure the Software Asset Management team is tracking the software and its data on each device.
For instance, a Customer Support specialist no longer moves between their office desk and home office desk. They’re on call to answer support questions at a late hour -- let’s say, while playing a midnight Fortnite game -- so it might feel natural to check the ITSM ticket queue from their phone, then access the ITSM system from their gaming computer, and save the help documents afterward to the desktop.
Keep in mind that BYOD is not a free-for-all for any personal device. The practice is kosher for compliance only if the devices have been approved and licensed properly.
Software license compliance and data security (again). Software licence agreements often place restrictions on the device types that software can be accessed and used from, and sometimes even limit its usage to devices owned by your organization. And there are many technical issues to deal with such as configuration of software apps and device lockdown.
Before an employee can access company data and the network, IT must first provision their personal devices for variables such as checking the license terms and configuring password protection. Communicate your rules for the transfer of data to insecure locations such as cloud apps. You could make remote storage services such as Box or Dropbox the standard protocol, and even prevent local storage on non-business devices.
5. Cloud Gone Wild: Unchecked SaaS increases software costs
It’s a blessing and a curse: The ease of using cloud apps. Though your teams are now greatly spread apart, the team members can quickly jumpstart collaboration with a cloud-based tool, also called Software as a Service (SaaS).
Employees feel pressure to keep up their performance and project pace. Which means another aspect that’s probably jumped is the online resources they are consuming. What’s probably not increased accordingly is employees using your official IT channels to request the SaaS applications.
For instance, the Sales team was chatting with Slack before they were all working remotely. Now they need to expand that communication across two other teams, Inside Sales and Pre-Sales Engineering, and require paid-only capabilities like a full message archive and unlimited app integration. So they move from the free limited Slack to a paid group-wide instance.
It’s only “a couple bucks” per user so that seems low impact and reasonable. But as more departments do this, your cloud spend is unchecked in two expensive ways. First, as paid cloud accounts are increasingly activated without budget oversight. Next, if those accounts lead to penalty fees or overage costs because they’re used outside the vendor T&Cs.
Ineffective cloud cost management. You need to know which cloud services your employees are using, review those software license agreements -- because it’s likely that no one else did -- and keep tabs on their cloud consumption to make sure they’re staying within the allowable usage and not racking up over-usage or misuse fees.
Use a SaaS optimization tool to identify what cloud usage is ungoverned and how it’s licensed. A key activity is “rightsizing,” when you look at your highest points of cloud costs to find issues like over-provisioned services, high consumption, and under-used accounts. Once you know where your resources are going, you can decide what action should be taken, such as downgrading the SaaS licenses, adjusting the user permissions, or even shutting down accounts.
6. Networks Gone Wild: Security software needs updates
Security updates. Everyone hates taking down time to do them, but they’re more important than ever. Now that your IT infrastructure is dispersed and fully remote, it’s essential for security software to be present and always up-to-date.
Your office building has a secure firewall which makes vulnerabilities harder to access and attack. Working from home offices means employees are on unsecured or less secure domestic networks, and might require extra protective measures such as VPN (more on this next).
If your company doesn’t typically support remote work, there’s a big shift in IT operations. Now you have to set up security measures for an employee’s existing hardware. Or you might requisition new devices for use at home, without the opportunity to work on their operating systems and security permissions beforehand.
For instance, perhaps your Accounting team worked on desktops at the office so sensitive information was easier to control, and they’ve been told to order laptops online that are delivered directly to them. Now the accountants have to set up a new work laptop or their personal computers to access work systems.
Network security. Employees are connecting with laptops, tablets and smartphones that are notorious for poor security, and connecting over domestic networks without protective firewalls. Installing new software to handle security vulnerabilities leaves back doors for mistakes in implementation.
Once their devices have been set up correctly with security software, have tight procedures in place to push your users to regular system updates and system patches. You have to monitor and enforce these behaviors, for instance, by tracking the people who haven’t rebooted their machines recently and asking them to run the update, or remotely taking over their computer and doing it for them. Make sure you clearly communicate to employees what personal information is accessible by your IT admins so there is always trust on both sides.
7. Connections Gone Wild: VPN must protect data
On the topic of security software... Virtual Private Network utilities provides a secure connection to a company’s IT systems. When an employee uses their computer outside of the company network, VPN routes their internet connection through a private corporate server, so data is transmitted securely. Now every employee is working outside the corporate network, and VPN is an essential tool. This is a software budget issue that might be unplanned but is suddenly necessary for keeping data safe.
If your company previously required the use of VPN, then you would have licenses for every employee. But perhaps your requirement was only for teams that worked with sensitive data. For instance, the Development team handles proprietary code and confidential product information, so when they’re not at the office behind a firewall, they are mandated to fire up a VPN to access cloud-based tools like Atlassian Jira.
If you didn’t require a VPN, well, now you need to reevaluate which employees need a license. Perhaps your Design department works primarily with software tools such as Adobe Creative Cloud that don’t handle sensitive data. Now they aren’t working in a room together so they’ve quickly moved to using Atlassian Confluence for sharing ideas and documentation, which means they are now remotely accessing data that should go through a secured network.
It’s tempting to look at low-cost or no-cost versions of VPN tools to save money in a compressed time frame. But as in Risk #1, be careful of free tools (or free versions of trusted tools) which might have terms that let the vendor access, analyze or retain your data.
Network security and software license compliance. Your employees need VPN software to keep data secure since they are no longer behind the company’s firewall.
For employees who are working with applications that need to be secured, immediately allocate more software budget toward VPN licensing. Ensure the VPN utility is from a trusted vendor and properly deployed across all employee devices.
Summary: your 7 essential steps to reduce software asset management risks and costs
Each risk in this article leads to the same conclusion: IT and the Software Asset Management teams need to set and enforce a system of software oversight or your company’s costs and software license compliance risks may surge. Your oversight might be wildly different if you’re in a large IT department with a lot of controls in place, or part of a smaller staff who serve many roles with not enough eyes. But as we operate in this “New Normal,” it’s a relevant topic for every company, and we’re all in it together. Here are the best practices to reduce software costs, protect against security risks, and ensure software license compliance:
- Train your employees about what software is allowed on their personal and business devices, and give them a list of approved applications
- Consider setting up a portal for employees to request cloud services and non-cloud software, keeping purchases under your supervision
- Track the hardware devices accessing your network, and bring them under management so you can set up security measures
- Make sure all devices are updated with the latest security software and OS patches, since they are now on less secure domestic networks
- Consider a standard protocol for approved remote storage services and, if needed, prevent local storage on personal devices
- Have a security system which lets you decommission a computer or smartphone quickly, such as remote wipe or bricking the device
Bottom line, you need to understand what software license management and security risks you’re newly open to, and communicate to your team about how to mitigate those risks. Know what software your employees are using versus what they have permission to use. If this doesn’t match up, explore Software Asset Management options which handle that exposure and keep you protected against compliance risk.
Want more resources to manage new economic challenges? Rebuild your strategy and reduce software costs today to drive tomorrow’s revenue. Get started >>
Ignite your negotiation power and influence vendors into action by negotiating short-term concessions on payments now. For a limited time, get your copy of this brand-new April 2020 Gartner research.
Topics: SAM Insights