Know What You're Protecting: A Guide to Your Business's Digital Assets

The first principle of any security programme is deceptively simple: you cannot protect what you haven't identified. An organisation that doesn't know what devices are on its network, what data it holds and where it's stored, or what cloud services its staff use, cannot make sensible decisions about where to focus its security effort.

Asset inventory — the practice of knowing what you have — is the foundation that everything else in this series builds on. It doesn't need to be complex. For a small business, a well-maintained spreadsheet is entirely sufficient. This post explains what to capture, how to keep it current, and why it matters in practice.

What Counts as a Digital Asset?

A digital asset is anything in your organisation that stores, processes, or transmits information — and anything that provides access to something that does. The categories to consider:

Devices

Every desktop computer, laptop, tablet, and smartphone used for work. This includes personal devices used to access work email or systems (BYOD — Bring Your Own Device). For each device, note: who uses it, what operating system it runs, whether it belongs to the organisation or the individual, and whether it can access business data or systems.

Don't forget infrastructure devices: routers, switches, firewalls, printers, network-attached storage. These are less visible than staff devices but frequently less well-secured, and vulnerabilities in networking equipment are actively exploited.

Software and Applications

Every application installed on devices, every cloud service your staff use, every software-as-a-service subscription the business pays for. This is often the most surprising category: many organisations discover they have far more cloud services in active use than they were aware of — a phenomenon called shadow IT, where staff have signed up to services individually without IT oversight.

For software, the key question is whether it is kept up to date, who is responsible for updating it, and what it has access to.

Data

Where does your sensitive data actually live? Client records, financial data, personal data, intellectual property — every category of data that would be damaging if compromised, lost, or disclosed. For each data type, identify: where it's stored (local servers, cloud storage, email, laptops), who can access it, and whether it's backed up.

This exercise frequently reveals data in places organisations weren't aware of: client records emailed between staff and sitting in inboxes rather than a CRM, financial data saved to personal laptops because the shared drive was awkward to access, personal data in spreadsheets that nobody remembers creating.

Accounts and Credentials

A complete list of all business accounts: email accounts, cloud service accounts, administrator accounts, service accounts used by systems to talk to each other. For each account, note what access it has and whether MFA is enabled. This inventory is particularly important for offboarding: when someone leaves, the account list is the checklist that ensures their access is fully revoked.

Suppliers and Third Parties With Access

Which external parties — IT providers, cloud services, contractors, accountants — have access to your systems or data? This is your supply chain from a security perspective. Each represents a potential entry point: if your IT provider is compromised, their access to your systems is the attacker's access to your systems.

Building Your Inventory: A Practical Starting Point

Start with what you know and add to it. Create a simple spreadsheet with columns for: asset name, type (device / software / data / account / supplier), owner or user, sensitivity (high / medium / low), and notes. Populate it from what you can see directly: the devices in the office, the subscriptions in the finance system, the accounts your IT provider manages.

Then ask your staff. The most reliable way to discover the cloud services actually in use is to ask: "What tools do you use regularly that aren't on the company's official list?" The answers are usually illuminating. A team that has adopted Notion for project notes, uses personal Gmail for some client communication, and shares files via personal Dropbox is not unusual — and each of those is an asset that needs to appear on your inventory.

Why This Matters in Practice

Three scenarios illustrate why a current asset inventory is worth maintaining.

The first is patching. Patch management — keeping software updated — is one of the most effective security controls available. But you can only patch what you know you have. An unpatched application on an unrecorded laptop is invisible to your patching process and represents an exploitable vulnerability.

The second is offboarding. When a staff member leaves, their access across every system they used needs to be revoked promptly. Without an inventory of accounts and systems, this process is guesswork — and accounts left active after someone has left are a persistent security risk.

The third is incident response. When something goes wrong, the first question is: what systems and data are affected? An organisation that cannot answer this quickly will waste critical time in the early stages of an incident investigation — time that directly affects how much damage the attacker can do before they're stopped.

Keeping It Current

An asset inventory that was accurate six months ago and hasn't been updated is partially useful and potentially misleading. Build update triggers into your operations: a new device or cloud service gets added to the inventory before it's deployed. A staff departure triggers a review of their accounts. A quarterly reminder to check for cloud services that have been adopted informally.

The inventory doesn't need to be perfect to be useful. An 80% complete, current inventory is worth more than a 100% complete one from a year ago.