Protect Your Organization from Rouge Licenses: A Cybersecurity Practice

Do you have a corporate credit card? Many people in many organizations hold corporate credit cards for needed items, this just makes operations feasible. When purchases are made someone (should) review those purchases to ensure there are no cybersecurity (or other) abuses. I contend that in addition to ensuring there is no fiscal irresponsibility or violation of standard corporate spend use cases there should also be a corporate license purchase policy. If a card holder needs to purchase a license to a software, hardware, firmware, or cloud solution a check should be preformed to determine if another organizational entity has already purchased licenses and of those licenses are completely utilized. If you have 9 corporate entities that all have purchased 100 licenses and are only using 90 licenses each that means you have 90 licenses that have been purchased in abundance of the requirement. The cost-to-purchase may be a point of consideration but so are the tracking costs (because all licenses should be tracked for renewal and compliance), the auditing costs (an annual check to determine if these licenses really benefiting the business), and other license related costs. This is not to mention, an insider threat can purchase a license or use an already purchased license to conduct harmful activity (purposefully or accidentally) such as storing sensitive corporate or personal data in an insecure cloud storage space that leaks because the license holder didn’t know how to properly configure the cloud security controls. Licenses, they can help secure the environment or lead to leaking information, law suits, and irresponsible corporate spend, the choice lies with only organizations that use data.