Marketing Communications Manager at ERP Maestro.
Debunking 5 Access Control Myths
No one would think that SAP ERP systems are at risk for perpetuating fraud and data breaches, but it’s undeniable. As 77 percent of the world’s transactions touch an SAP ERP system, every company that uses it should understand the need for tight security controls to ensure compliance and mitigate the risk of fraud and data breaches. Access controls for SAP are one of the primary ways to protect a company’s sensitive data and assets in these complex systems, which involves managing and monitoring of who should have access and to what and who shouldn’t. Not safeguarding against access risks in this way can result in higher rates of fraud and data breaches that could cost millions of dollars, along with damage to the company’s reputation and revenue-generation capabilities.
Despite security statistics proving the need for access controls, myths about them still surface. Here are five common access control myths debunked:
Myth #1: Insider threats don’t apply to my organization.
While the numbers vary, studies have found that approximately 60 to 75 percent of threats come from inside the company. No company is safe from internal threats, and an it-can’t-happen-here attitude is both naïve and dangerous. Some of the biggest data breaches, like the massive 2014-2015 Anthem data breach, are attributed to insiders.
To prevent insider threats, organizations need to create strong access controls, including segregation of duties (SoD). In order to protect against fraud or unintended mishaps, it is critical that no employee can complete an entire transaction or process from beginning to end.
Myth #2: I only have to worry about “malicious” insiders.
An estimated two-thirds of breaches are caused by poor judgment, often the result of trying to get around policies already in place. One way to prevent negligence is employee education. But education only goes so far, as many employees fall into their old patterns once training is finished. Role-based access controls, on the other hand, can limit access to mission-critical systems and data to only the users who need it.
Additionally, a Gartner analysis discovered that 29 percent of employees stole information after quitting or being fired to supplement their income – and nine percent did it just for sabotage.
Myth #3: Access control is a “set-it-and-forget-it” job.
User access levels and roles change, and so do threats. As a result, access control requires continual monitoring and maintenance. One of the greatest access risks is not monitoring access levels in an ongoing manner. Jobs and responsibilities change and if access is not adjusted to new roles, access bloat can occur. Stay on top of every user, every role, every job change and every instance of access provisioning for emergency situations.
Myth #4: My ERP system only has a few points of entry.
As more applications continue to be added to the IT landscape, these applications increasingly interconnect with the ERP system, adding more points of entry. The points of entry that have the greatest magnitude and risk level are those related to users. ERP systems typically house the organization’s most sensitive data – and can have hundreds or even thousands of internal entry points. With the right monitoring tools, risks can be spotted and stopped before they turn into a crisis.
Myth #5: I don’t need to automate access control.
Companies need to monitor access, decommission defunct users, and run SoD analysis constantly for maximum protection, compliance and fraud prevention. Can this be done manually? Yes. Should it be? Not if a company wants the best, most efficient and trustworthy safeguards. Choosing to automate means dramatically reducing the time it takes to oversee access. This also greatly reduces costs in terms of employee hours required to run the reports and costs related to errors and increased audit fees.
Debunking these myths are important; ultimately you have to apply every precaution to protect your company. Fraud and insider attacks happen at every organization, and not just at the hands of malicious employees. If you want to learn more, download our full ebook, “Debunking 5 Access Control Myths,” that expands on these access control myths and gives solutions to strengthening access controls in SAP.