Select Page

Zombie (Ghost) Assets and How to Stop Them

25

May, 2020

by Daniel Longest

Zombie and ghost assets sound exciting, like a late-night movie you’d watch around Halloween. While in reality they may not be that exciting, they’re scary if you don’t understand and prevent them. The good news is the steps you need to take don’t necessarily require any special technology (though some might come in handy). Instead, it requires only good old-fashioned management to set up, resource, and run the right processes.

In this post, we’ll explore zombie and ghost assets with a focus on

  • What they are
  • How they occur
  • How they impact your business
  • What steps you can take to handle them

We’ll start by discussing what assets are and the importance of an asset statement. Then we’ll discuss zombie and ghost assets and why they matter.

 

A Brief Primer on Asset Management

Before diving into zombie and ghost assets, it’s critical we first understand some key concepts about assets, generally, and IT assets, specifically. In common business language, an asset is anything owned by the business. Typically, a business uses an asset to produce value. For example, a manufacturer owns a factory with manufacturing equipment. Both the factory and the equipment are assets to the business that are used to make products to sell. That said, an asset doesn’t have to be directly involved in value creation, as the office equipment used by management also counts as an asset.

Standard accounting procedures produce three financial statements on a quarterly basis: the balance statement, the income statement, and the statement of cash flows. The first of these, the balance statement, lists the financial value of all assets owned by the business. There’s a lot to how that happens, but the key for our purpose is this: The assets must be accounted for, as they impact the financial position of the company and that position can affect the ability to get loans and to value the business, among other reasons. Also, for public companies in some countries, the statements must be accurate (within some margin) under legal penalty.

Asset Life Cycle

All assets go through a life cycle that typically consists of four steps. First, an asset is acquired or created. Typically, this involves planning for and then purchasing the asset. There are many ways to finance assets depending on the cost and purpose and all of that happens in this phase. Second, and hopefully the largest part of the life cycle, the business uses the asset as intended to produce value. Next, and actually iterative with the using phase, the business performs maintenance activities on the asset, either as needed due to failure or on a proactive schedule. Last, the business disposes of the asset when it’s reached the end of its useful life.

A key part of successful business operations is managing the asset life cycle properly. In doing so, the business ensures the right assets are always available to run the core business, even as assets move independently through the life cycle.

What Are IT Assets?

IT assets are the software and hardware owned or used by a business.

Some of the most common assets you will see in your IT & Test Environments are:

  • Server hosting your applications
  • Employee computers
  • Office printers
  • Mobile devices
  • Software licenses
  • Data

Just like other assets, it’s critical to monitor and track IT assets, as they affect the statement of assets for the business. As we’ll learn, ghost and zombie assets are names used to describe IT assets that get into a problematic state that detracts from the accuracy of those statements.

What Are Zombie and Ghost Assets?

Both zombie and ghost assets refer to a type of asset that is improperly represented on the asset ledger, simply in different directions:

  • A ghost asset is one that the business has on the books but can’t be located
  • A zombie asset isn’t on the books at all, but is on-hand

These may not sound like dire problems when considered on a small scale. But across an entire company, these assets combine to present major issues.

How Do Zombie and Ghost Assets Impact Your Business?

These may not sound like dire problems, but remember the earlier discussion about the asset statement. First, the company must be able to produce an accurate statement of its assets. Second, both types of assets unnecessarily increase risk. One way, maybe the most obvious, is the impact to the asset statement’s accuracy, which puts both company decision making and potentially regulatory compliance at risk. A second way, especially for IT assets, is the item lays outside the standard security program and may be used as an attack vector for cybercrime.

How Do They Occur?

Zombie and ghost assets occur when a business lacks the necessary processes or controls to track and manage assets. Typically, it’s common for a company’s asset tracking to start off on a spreadsheet and move to something more elaborate later, if necessary. For example, a small IT department issues laptops and mobile devices to employees, and they use a spreadsheet to track issuance and return of the devices.

Here are some situations where ghost and zombie assets can occur:

  • Employees use a written sign-out sheet to borrow a shared laptop with special presentation software. Then, the laptop goes missing one day, and it’s never reported and no one notices its absence.
  • An employee reports a lost laptop to IT and are issued a new one. As a result, IT updates the asset’s life cycle to properly reflect this loss. Later, the employee finds the old laptop and returns it with their other equipment on their last day of work.
  • The business buys software licenses without including IT. As a result, such purchases are not reported to the group responsible for IT asset management

What Steps Can You Take?

The first step to take to mitigate the effects of zombie and ghost assets is to take IT asset management seriously and invest resources to do it properly. First, there’s a fair amount of software in IT asset management that simplifies the tracking. Much of this software integrates with accounting software, so it ties nicely into your finance group’s needs. That synergy improves processes across several different departments, and that’s generally a huge time-saver.

Second, even without IT asset management software, assign accountability for asset management to a staff member, if you haven’t done so already. This accountability, when built into job descriptions and goals, provides the necessary incentives to manage this area properly. Don’t assume that the person who’s buying your servers is the right person to handle these duties just because they do a lot of purchasing. Additionally, put actual processes around asset distribution and management. For example, don’t allow staff to borrow assets and self-report such usage via a sign out sheet, whether that’s paper or digital. An accountable staff member is needed to create, manage, and execute processes.

Third, consider RFID or similar technology for tracking the location of physical assets. These tags on hardware such as servers, mobile devices, and similar auto-reporting status and location make ghost assets much more difficult to stay invisible.

Last, in a technology space that’s moving to more cloud services, consider the role of IT assets for operations altogether. One of the big benefits of cloud computing is the transition of costs from capital to operating expenses. On the one hand, this transition may allow you to replace asset purchases with leases and thus avoid the need to track assets altogether. On the other hand, some IT assets will still be needed and leased hardware must still be tracked.

Wrap Up

In this post, we’ve learned about IT asset management and the impact ghost and zombie assets have on your business. It’s critical to invest in proper asset management practices to avoid the unnecessary cost and risk of these assets. Otherwise, you’ll be in a tough spot when accounting and IT senior leadership comes calling.

Daniel Longest

This post was written by Daniel Longest. With over a decade in the software field, Daniel has worked in basically every possible role, from tester to project manager to development manager to enterprise architect. He has deep technical experience in .NET and database application development. And after several experiences with agile transformations and years spent coaching and mentoring developers, he’s passionate about how organizational design, engineering fundamentals, and continuous improvement can be united in modern software development.

Relevant Articles

Supporting Privacy Regulations in Non-Production

18 SEPTEMBER 2020 by Arnab Chowdhury Every aspect of our daily lives involves the usage of data. Be it our social media, banking account, or even while using an e-commerce site, we use data everywhere. This data may range from our names and contact information to our...

What Makes a Good Enterprise Release Manager?

09 SEPTEMBER, 2020 by Michiel Mulders Do you want your company to scale efficiently? Look for an enterprise release manager (ERM). An ERM protects and manages the movements of releases in multiple environments. This includes build, test, and production environments....

What Is Data Masking and How Do We Do It?

04 AUGUST, 2020 by Michiel Mulders According to the 2019 IBM Data Breach report, the average data breach in 2019 cost 3.92 million USD. Businesses in certain industries, such as healthcare, suffer more substantial losses—6.45 million USD on average. As the amount of...

What is and why have a Release Calendar?

13 JULY, 2020 by Eric Boersma Every project manager in the world shares a similar stress. They’re working on something important, and a key stakeholder sticks their head around the corner. They ask a small, innocent question. “When are we going to release that...

What is and why have a Test Environment Booking Form?

01 JULY, 2020 by Diego Gavilanes Ever since the dawn of time, test environments have been left for the end, which is a headache for the testing team. They might be ready to start testing but can’t because there’s no test environment. And often, the department in...

Data Literacy and GDPR (Know Your Risk)

29 JUNE, 2020 by Carlos Schults In today’s post, we’ll discuss data literacy and its relevance in the context of GDPR. We start by defining data literacy and giving a brief overview of GDPR. Then we proceed to explain some of the challenges organizations might face...