POSTED ON September 27, 2019

Originally published in HLB Insights

There are many reasons why a business will operate on an international scale. Whether it is to generate additional revenues, gain exposure to foreign investment opportunities or to hedge against local market risks, there are many advantages to operating beyond domestic borders.

However, as companies grow, so does the IT infrastructure required to support the business operations, which can increase the complexities of managing their virtual assets.

Over 70 percent of IT leaders say they have not created a formal software asset management (SAM) strategy, which means many companies lack a clear view of their virtual assets. This lack of control exposes their company to an increase in vulnerability around cyberattacks, wasted IT cost and risk around legal noncompliance.

Vulnerability Around Cyberattacks

According to research from IBM Security, the average company cost of a data breach is $3.9M. Almost 25 percent of cyberattacks reported are due to the vulnerability of end-of-life IT systems and software that is out of date and no longer supported with security patches.

  • Arizona Beverages lost millions of dollars in sales because of a cyberattack that was attributed to many of their back-end servers running old and outdated Windows operating systems that are no longer supported. Most had not received security patches in years.
  • Equifax has been ordered to pay over $650 million as settlement to their data breach which 143 million consumers were affected. The House Oversight Committee report concluded that the breach occurred due to systems and software that were old and out of date staying, “Equifax did not see the data exfiltration because the device used to monitor [the vulnerable server’s] network traffic had been inactive for 19 months due to an expired security certificate.”

As a company’s IT infrastructure grows to support its global business, it likely will translate into multiple data centers across locations, both domestic and international. It is critical to establish and implement a SAM strategy in order to manage and monitor growing virtual assets for vulnerabilities.

Wasted IT Spend

A global company should take advantage of volume based discounts. If the corporation has separate procurement teams in each region, by default, it is already overpaying for its software. Centralizing its procurement team to purchase licenses for the global corporation will allow a company to receive larger volume based discounts in comparison to each entity purchasing individually. Make sure to carefully negotiate the license agreement terms to avoid any restrictions around where a company can install the purchased software. To further increase the discount rate, time purchases to occur during the fiscal year-end for that specific software vendor.

With the above in mind, a software asset management baseline of current virtual assets and licenses is essential prior to negotiations to understand what it is a company has and what it is actually using. Without doing so, a company will likely be paying for support and maintenance on licenses that it is not utilizing.

Legal Non-compliance Exposure

The lack of licensing knowledge by a company’s subject matter expert is the most common skill gap of why its legal non-compliance exposure goes unnoticed. Complications with specific vendors, products and terms can still be missed by experts and need to be managed. For example:

  • Vendors: Although there may be some similarities, licensing across software vendors is different. Furthermore, each vendor may define technological terms differently (e.g. Processor, Core, etc.)
  • Products: Even with a single software vendor, each of their products are licensed differently (hardware based, user based, capacity based, resource based, etc.)
  • Environments: Each software vendor and product has different licensing terms when it comes to where the software is installed from an environment perspective (production, test, QA, etc.) and the license requirements
  • License Metric Changes: It is fairly common that software vendors will change how their products are licensed through the years; even the same product one year may be licensed differently the next year. These changes are not publicized by software vendors and go unnoticed by subject matter experts until it is too late
  • Special Terms: There may be special licensing terms and restrictions that may apply to specific contracts in comparison to the standard terms and conditions

Additionally, a company could have all the tools and technology in place to manage its virtual assets, however, its non-compliance exposure is still at risk due to a lack of understanding of its contracts. Let’s say a company has acquired licenses from Microsoft historically. At large corporations, typically those purchasing the licenses, procurement, are not the same team deploying the licenses, which is typically IT. IT’s primary role is to ensure the IT environment is stable to support the business needs and therefore do not focus or care about what contractual terms were agreed to in how they can and cannot use the Microsoft products. Many fail to realize the restrictions in these agreements. For example:

  • Location Restrictions: There is nothing built into the software that prevents the software from being installing in certain regions, yet there are terms and conditions in license agreements that limit where someone can install the software. If a company has purchased the software in the U.S., but deploys it globally, it may very well be violating the license agreement from the start. Here is an example of some license restriction language:
    • Local Network License: The software may only be accessed or used by Authorized Users at the Installation Site or any Customer facility within ten miles.
  • Country Network License: The software may only be accessed or used by Authorized Users at Customer facilities located within the country where the Installation Site is located.
  • Regional Network License: The software may only be accessed or used by Authorized Users at Customer facilities located in Europe and countries in the Middle East and Africa.

Failure to actively manage software licenses often results in legal penalties for a company through the likes of over-deployed software and piracy. Additionally, without software asset management, a company is likely wasting IT spending by paying recurring support and maintenance fees on software licenses that are not in use or needed.

Conclusion

In conclusion, the lack of a software asset management strategy and framework in place, for any company, creates exposure around cyber security vulnerabilities, wasted IT cost and legal noncompliance. These risk are further multiplied for global corporations. GHJ has extensive experience providing SAM strategies for international business. If you have questions or want create your own SAM strategy, please contact GHJ Royalty and Licensing Principal Brian Watson.