Jonathan Bass, managing director of NetTrace.
Overburdened security professionals often dismiss enterprise asset management (EAM). But the recent extension of Protection of Personal Information Act (POPIA) regulations to include the loss or theft of devices exposes organisations to what could be a very expensive compliance headache.
The main challenge is not a lack of awareness about the importance of security, but rather a misalignment of priorities within security teams. Security leaders and their teams already have a host of dashboards they are monitoring and they are overwhelmed. If you raise EAM with them, there is a perception that this involves more work.
The focus at many organisations tends to be on high-profile security controls, while the less glamorous but essential task of asset data integrity is relegated to the background.
This oversight is not without consequence. According to IBM, the average cost of a data breach in SA reached R44.1 million in 2025, rising to R70.2 million in the financial sector, demonstrating the multimillion-rand consequences of compliance failure.
Companies can’t protect what they do not track and monitor, and EAM plays a fundamental role in any security strategy. The proliferation of devices, cloud services and applications, often acquired outside official procurement channels, has made manual asset management unfeasible.
As a result, shadow IT and untracked devices can easily slip through the cracks, creating blind spots that attackers are all too ready to exploit.
Companies can’t protect what they do not track and monitor, and EAM plays a fundamental role in any security strategy.
Shadow IT represents a significant risk. Unmonitored devices like personal devices connected to networks, unmanaged hardware and ghosted devices create risks of data exfiltration.
Unauthorised software and apps, especially GenAI applications like ChatGPT, also greatly expand an organisation’s attack surface, making it challenging for IT teams to track all digital assets, with data leaks, breaches and regulatory violations going unnoticed.
These devices can also lead to duplicated software licences, tool sprawl and hidden costs, making IT budgeting inefficient and forcing IT teams to manage fragmented systems. This will impact incident response, asset tracking and consistent policy enforcement.
Just like the European Union’s General Data Protection Regulation (GDPR), South Africa’s POPIA requires organisations to ensure data security throughout the asset lifecycle.
The regulator requires responsible parties to take appropriate, reasonable technical and organisational measures to prevent unauthorised access or security compromises, which includes risks from old or discarded devices.
And, just as with the GDPR, when it comes to data breaches, POPIA makes provision for fines and even jail time for those responsible for data leaks.
However, many organisations aren’t aware of recent changes. The 2025 amended regulations have been extended to include stolen and lost devices within the scope of ‘security compromise’. This means that the loss or theft of physical devices such as laptops, mobile phones, USB drives, or other equipment containing personal information now constitutes a reportable data breach.
Businesses must now treat the loss or theft of IT equipment as a security compromise, requiring immediate reporting to the Information Regulator and notification to affected data subjects. This expanded definition makes the need to protect both electronic and physical forms of data exposure all the more urgent.
The consequences of non-compliance could be severe. In the event of a data breach, organisations are expected to quickly identify which assets were affected, what data was exposed, and how the incident occurred. This is only possible with a robust EAM system in place.
If companies don’t have a complete and accurate asset register of all devices, services, apps and databases, they can never know which asset was affected and they can’t map owners and data types to it.
Despite these risks, convincing security leaders that EAM should fall under their ambit remains challenging, with the perception that the discipline is still largely a laborious, manual chore.
Automation and integration of asset configurations and critical asset attributes have made it possible to maintain accurate asset inventories and apply security controls at scale, reducing the risk of unpatched or misconfigured devices.
This reduces the risk of vulnerabilities going unnoticed and helps prevent common threats, such as ransomware, which often exploit unpatched systems. Automation and discrepancy management also make it possible to quickly identify devices that fall out of compliance, or are missing critical security tools, allowing for rapid remediation.
Automation supports the detection of shadow IT by comparing procurement records with actual devices in use, highlighting unauthorised or unmanaged assets that could introduce security risks.
By removing the reliance on manual updates and spreadsheets, automation of system configuration management not only improves accuracy but also frees up staff to focus on higher-value security activities. This allows organisations to maintain a much higher standard of device security, even as their environments become more complex and dynamic.
The security stakes are only getting higher. As threats become more sophisticated and regulatory scrutiny intensifies, organisations that fail to prioritise EAM are not only increasing their exposure to attacks but also risking costly compliance failures.
Asset management is not a back-office function, but a core component of modern cyber security and risk management.
