Here's a very common scenario: someone in the office buys a copy of a software program such as Adobe Photoshop and before you know it, everyone has installed it. It all seems so innocuous. The problem is, it's not legal. Your company is now out of compliance with the software program's licensing agreement and can face stiff audit-related fines (up to $150,000 per infraction according to Automation Access). What can you do to protect your organization and ensure software license compliance? Here are three simple steps to get you started.
Know your company's software licensing policy inside and out
Usually you do not own the software you license. It's only a lease; the software publisher still owns the software. And you might not even realize that you are pirating software because licensing agreements are so complicated these days. There are multiple license types, including open licensing, OEM, per PC (non-concurrent), per user (concurrent), volume licensing, upgrade licensing, competitive upgrade licensing and subscription licensing for software as a service, among others. An example of per PC licensing would be Microsoft licenses, which are non-concurrent. That means if you have 400 PCs in your business that run Windows Office, you must pay for 400 copies of Windows Office. While that seems fairly simple and easy to manage, it can get quite confusing. Some companies might ghost an image to create a standardized desktop throughout an organization without paying for additional licenses, for example. Thus, a very easy way for companies to become out of compliance with a license agreement is to install software on more PCs than the number specified in the license. That means while it's necessary to fully understand your license agreements, it is just as important to carefully track the software they cover in order to stay in compliance. This leads us to step two:
Regularly audit and inventory software
You can determine what software your organization is running by periodically conducting an organization-wide software audit. This will help avoid unfortunate compliance surprises should an externally triggered audit occur later. The audit report should show:
what software is installed
· whether it's being used and how often
· whether or not it's in compliance with licensing agreements
The good news is that many vendors now offer automated tools that effectively scan PCs and inventory software. The results will give you a good baseline of what software is installed and allows you to compare purchased licenses against your inventory to recognize what is in compliance and what is not. Your next step then is to find out how often the software is used by metering its usage in order to look for instances of licensed software not being used. That will help get a handle on the budgetary aspects of license compliance -- because if 150 of the 400 copies of Windows Office you purchased aren't being used, why pay for them?
Establish and enforce software installation and usage policies
Now for the tricky part and one of the most important things you can do. While understanding software licensing agreements and inventorying software is a solid starting point on the path to software license compliance, it is key to establish, disseminate, enforce, and update software installation and usage policies. The usage policy delineates what is acceptable and legal and what is not – and the consequences of software piracy. A comprehensive software policy addresses aspects of software usage during its entire lifecycle from acquisition to retirement, and covers such topics as installation, registration, as well as business and non-business usage. One key policy component is this: unknown and unauthorized software is a liability and should not be allowed to run. It could just as easily be non-licensed, user-installed software as it could be a virus, zero-day attack, trojan or spyware for that matter. And if those are allowed to execute, it can be worse than a nasty surprise audit. Many companies make software installation and usage policies of their employee handbook, although these policies tend to change more frequently than handbooks, so plan on communicating changes to the policy as it is updated.
In the end, the three simple steps listed above will help your company stay on the right side of the law – and on budget. Not only can you guard against non-compliance and reduce the risks associated with fines and litigation from improper software usage, but you can also save money by retiring or reallocating unused software as well as negotiating licenses that better meet the needs of your business. And, you can more easily manage the lifecycle of software throughout the company overall. Please feel free to email me to share your experiences, feedback, or any questions you may have.
-Todd Brennan is cofounder and chief technical officer of Bit9