Most of us can comprehend that hackers, thieves, and other nefarious individuals represent a constant threat to our business assets—including corporate data. Many don’t realize, however, that there’s a stealthier threat lurking; one that doesn’t come in the form of a person or even a virus! It’s our reliance upon protection that’s not (correctly) implemented, and it’s a threat that’s often overlooked—even during an audit.
The term “shelfware” describes software that is purchased and never installed. In my opinion, this is public enemy number two (behind the threats I listed above). Of course, even installed software is only going to provide protection if it’s activated and actually utilized. A good analogy is the home alarm system that never gets set, or is set and not working as expected. Unfortunately, this malfunction might not be discovered until the homeowner returns home and discovers they’ve been burglarized.
Despite our best efforts to keep in touch with our entire install base, we still encounter installations of our own software that are not actively running. PowerTech is certainly not unique in this regard as it’s a problem for all software vendors—but it’s a far bigger problem for the customer who’s suffering from the misconception that they’re protected.
So, why does this happen?
Occasionally it’s an intentional decision. Last year, I performed a deep-dive audit for a customer who had purchased Authority Broker to monitor the activities of their privileged users. During the interviews, I uncovered they’d stopped using the software “because of their auditors.” I was surprised because auditors love this solution! The administrator explained that using it raised a red flag when they performed restricted tasks (isn’t that the point!?) and responding to the auditor resulted in more work for them. Fortunately, management had not approved this process shortcut and a mandate was issued to resume its use immediately.
More commonly, the customer is not even aware that something is wrong. It can be as simple as not staying up to date with anti-virus signatures. Perhaps the application was migrated to new hardware and this invalidated the license keys, or an upgrade to a new OS release required some additional PTFs or steps to be taken. Maybe it was never configured correctly in the first place, or the only administrator left the organization and the application is languishing due to a lack of education. Regardless of the cause, if the software is no longer providing the anticipated protection then action needs to be taken as soon as possible. And we’re here to help!
An ongoing security initiative should include running occasional tests. If you don’t expect to be able to use FTP to transfer a file from the server, then attempt it and ensure that the request is rejected. If you’re monitoring database changes, make a change and verify that it’s logged. And, if you’re auditing events in real time, validate that the message is received when that event occurs.
We want you to see the purchase of our software as an investment. If you suspect a problem with this investment, give the appropriate support team a call to verify the state of the application. Not sure how to reach us? Simply go to www.helpsystems.com and click the tab for the software brand you are using. I can’t speak for all vendors, but HelpSystems backs its solutions with class-leading live technical support—and we will get you up and running quicker than you can say “no more shelfware!”