Many companies don’t track devices accessing their networks. That’s expensive—and risky

After Halloween, do you have phantom devices on your network?

According to new data from Sevco Security, many companies face the “chilling” reality that they don’t know about or can’t account for a large number of assets that have access to their IT networks.

In an October report that examined roughly 500,000 IT assets, Sevco found that about 22% of endpoint protection software—the next generation of antivirus software—and 7% of patch and configuration management software is licensed but not in use.

This means that companies are paying for licenses to cover devices that no longer exist on the network or were retired incorrectly.

The rise in unused endpoint protection and patch/configuration management software licenses, respectively up from 16% and 6% last year, can be partly attributed to sloppy corporate downsizing that cut employees without reflecting those changes in device management practices, Sevco Founding Member James Darby told IT Brew.

“It’s no surprise that the tech industry has had a lot of layoffs in the last couple of quarters,” he said. “What we’re seeing is they’re not cleaning up their SAS inventories—so, their endpoint protection or their patch management.”

A lack of visibility into network assets isn’t only costly. It can also leave companies open to security and compliance gaps, Sevco found. About 11% of the IT assets Sevco analyzed lacked endpoint protection, and 31% lacked enterprise vulnerability management systems.

Additionally, 0.5% of IT assets were devices whose manufacturers are banned by the US government—including Huawei, ZTE, and Hikvision. About 1% of devices no longer receive security updates and are at the end of their life-cycle, Sevco found.

When companies are unaware of the quality and state of devices accessing their networks, Darby said, it can lead to false reporting to regulatory bodies like the Securities and Exchange Commission or noncompliance with regimes like the EU’s General Data Protection Regulation.

“These are the kinds of things that you attest to, that you cover all your devices with endpoint protection, that you cover all your devices with patching configuration management,” he said.

The remedy for a network-access jump scare? Implement an asset-intelligence platform to track devices and their levels of protection across your network, Darby said. When companies can tell where noncompliant or unprotected devices live on their network, he said they typically spring into action quickly.

“Once you get all those inventories aligned and in agreement, you can see the gaps in your network,” he said. “Customers are really good at plugging those gaps once they see them.”