Though many company leaders have detailed processes for managing their physical assets, they don’t necessarily pay the same attention to their software. That oversight can introduce preventable cybersecurity risks.
Fortunately, the rise in software asset management is changing things. It involves people consciously influencing all aspects of acquiring and using software, from procurement to internal usage policies to updates and end-of-use decisions.
Since cybercriminals often exploit software vulnerabilities to access companies’ broader infrastructure, SAM investments can protect organizations against cyberattacks and breaches. If you’re considering making SAM part of your cybersecurity strategy, there are specific steps to take.
1. Purchase Software From Approved Vendors
You can establish a robust SAM policy by determining that people in your organization responsible for buying software can only get it from reputable vendors who sell official versions of the desired products. Some individuals unwittingly end up with pirated versions because they want to save money. If a company offers software for a significantly below-average price, that’s suspicious and could even cause cybersecurity issues.
A 2024 study examined the prevalence of malware in software pirated in southeastern Asian countries. The findings revealed Trojan viruses in 35% of the sample and adware in 34% of the pirated products. Additionally, the infection rate for hard disk drives was 96%, while it was 26% for downloaded items.
Since many people initially find pirated software online and use it while interacting with others worldwide, it’s easy to imagine how their attempt to save money could quickly become a significant and widespread cybersecurity risk. The safest alternative is to purchase software directly from the entities producing it or their authorized vendors.
2. Create a Permitted Software List
As your company’s IT leaders choose which software to buy and from where, its employees will naturally find out about other software products they’d like to try, often to save time or improve their processes. However, in their eagerness to use it, many will not realize they need approval first, causing what industry professionals call a “shadow IT” issue.
A 2025 report indicated 85% of administrators wanted a centralized platform to manage devices, identities and access. Many also recognized the risk of unauthorized apps used within their organizations. Making and maintaining an updated list of software people can and cannot use is a practical way to apply SAM to this emerging risk.
IT professionals can institute blocks and bans more easily once they know the names and versions of forbidden software products. Additionally, setting an employee policy that requires a worker to receive permission before downloading and using specific titles eliminates the possibility of people asserting that they did not know better.
3. Install All Updates Promptly
Many users rely on dozens of software products during typical workdays. Considering that some companies have thousands of workers and devices to manage, it’s easy to understand how IT teams fall behind with software updates.
However, this is a cybersecurity threat that SAM can address. Software updates are not always free, but SAM tools can identify what customers may install without incurring extra charges. Similarly, they help users verify that they have updated the software on all applicable devices. That visibility is crucial since a single unpatched vulnerability is sufficient for cybercriminals to exploit.
You should also activate automatic updates if the software offers them. IT teams have numerous responsibilities to manage, and having one less thing to keep track of is a definite win.
4. Set Security Policies for Users
Many software products give people access to massive amounts of data, making them attractive targets for hackers to infiltrate. However, users can either be the first defense against such efforts or the weak link.
Require people to set strong and frequently changed passwords when using software. Weak or common passwords increase the success rates of brute-force attacks. They involve cybercriminals rapidly trying different combinations to find the ones that work.
Another option is to restrict people’s access to features or information according to what they need to do their jobs. That is a security-centered decision because it prevents situations that concentrate access across relatively few people. In addition to causing hassles if some employees suddenly quit or cannot come to work, unnecessary access-related concentration increases the risk of targeted phishing, such as business email compromise attacks.
Though SAM includes actions people take when software is so old that vendors no longer support it, organizations should also establish steps to go through when people leave the company. Using a dedicated dashboard to revoke access is a simple but effective option. It also may prevent businesses from paying for unnecessary software licenses because some vendors allow administrators to reassign licenses as their workforce makeup changes.
Alter SAM Practices When Needed
These tips will help you find the most appropriate ways to bring SAM into your cybersecurity plans, no matter your company’s size or the number of software products used. As you apply them, remember to remain flexible and change how you use software asset management to match your company’s evolution.
Offering new products or expanding the organization typically cause software usage shifts. However, you’ll get the most significant impacts from SAM principles by deploying them through methods reflecting your current needs.
