Inventory and Control of Software Assets to Prevent Data Breaches

By Ed Snow and Annette Smith, DPI

Know your software. U.S. schools leaked 24.5 million records in more than 1,300 data breaches since 2005. These are known data breaches; many go undetected or unreported.  And NBC News reported ransomware gangs published data from more than 1,200 K-12 schools in the U.S. in 2021.

One of the best preventative measures to protect your students’ and school’s data is taking regular inventory and control of your school’s software assets. While many school district budgets are tight, the cost of using free software or not controlling the software used may be catastrophic. A survey from cybersecurity firm Sophos reported ransomware attacks costs educational institutions $2.73 million on average. Compared to other sectors this added up to the highest cost after factoring downtime, repairs, device costs, and lost opportunities.

As October kicks off Cybersecurity Month, it is time to assess how secure is your school’s data. In conjunction with NNT’s CIS Controls, the Department of Public Instruction is sharing some tips to help school and district leaders get started and put a plan in motion.

The first step is to identify and create an up-to-date list of all authorized software. Without knowledge of what has been loaded on individual computers or systems, unauthorized software could introduce what would have been a preventable security threat to your school or district.

Make sure the authorized software applications are supported by a vendor, meaning there are regular updates to fix security or performance issues. When software is no longer supported, it is left vulnerable to hackers.

There are tools available to help with software inventory. NNT’s Change Tracker Gen7 R2 and Vulnerability Tracker not only audits the software installed, but also makes sure the software is free of already known vulnerabilities. Whichever system you use, your inventory should include the name, version, publisher, and install date for all software.  

Last month’s AWSA article discussed the importance of inventorying a school’s hardware assets. Connect your hardware asset inventory to your software asset inventory and keep track of it in one place. Doing so will make the inventory process more manageable.

If you find unapproved software during your inventory process, the software should either be removed, or the list should be updated. Remind staff, software should not be installed on their business computers without approval from the appropriate personnel including your IT department. Developing and sharing an approved software list with staff will help prevent miscellaneous software from being added to individual computers.

Finally, regularly scan and update all software. Maintaining software inventory is an ongoing and everchanging process. Knowing and having control of your school’s or district’s software will prevent unnecessary data exposure and help keep your students and staff safe from cyberattacks. For more information on how to create and maintain a software inventory, please contact Ed Snow or Dr. Annette Smith with the DPI’s Instructional Technology Services Team or visit https://dpi.wi.gov/cyber-security for resources and cyber/data announcements.