Chief Marketing Officer at ERP Maestro
The Most Significant Internal Security Concerns In 2020
Experts and pundits have made their predictions for the top security risks and trends to look out for in 2020, and companies are executing new year strategies for risk and prevention. In EMEA, the US and around the world, the outlook appears consistent. New risks join old ones and both continue to escalate as digital transformation progresses globally.
A US site offers a plethora of security predictions. More creative uses of deepfake, advanced phishing attacks beyond email, trickier ransom wear threats, and more are on the external security radar for the year ahead, but that’s only one half of the security challenge. What about internal risks? What should you be preparing for as we approach the decade before us?
The Primarily Internal Risk
When thinking about the future of security challenges, it’s tempting to go gung-ho and focus all eyes on fighting emerging threats while existing threats still remain an equal menace. Will there be new internal threats to companies? Of course. Just as with external attacks, new ways of committing fraud and internal breaches of sensitive company data will evolve. Still, what we know today is that internal attacks remain a growing threat to companies, their competitive edge, loss of revenue, executives, board members, customer loyalty and market reputation. We also realize that the most vulnerable to insider attacks are business systems, such as ERPs.
Two Pitfalls to Watch Out For
When it comes to SAP environments from an internal security perspective, two pitfalls to watch out for are using manual processes to manage access controls and sticking with old-school tools in an attempt to save money. Neither approach offers effective and cost-efficient monitoring and controlling of risks, and neither can be counted on for accuracy when it comes to compliance. The risk of using such means may seem worth it in the short-term, but the potential long-run damages may be far more costly than employing more fail-safe solutions.
The Threat of Fraud is Real
Fraud is prevalent around the world, in small and large companies alike. The greatest risk for fraud is inappropriate access to financial systems and lax segregation of duties. According to a 2018 report from the Association of Certified Fraud Examiners, the typical organization loses 5% of its annual revenue to fraud. Further, 23% of cases involving employee fraud result in a loss of at least $1 million. Costs extend beyond that when you calculate any loss of customers, new business or brand reputation.
The Scope of Internal Data Breaches
However, fraud isn’t the only concern. Company data and sensitive employee or customer information has a big market today. A study conducted in 2019 by IDC revealed that two-thirds of organizations using ERPs had experienced a breach in the previous 24 months. And according to an IBM /Ponemon Institute Cost of Data Breach Report, it took on average eight months to discover a data breach. The longer an insider attack goes unnoticed, the higher the cost.
Fixing Weak Controls
Outside of employee malintent or fallibility, the weakest link in internal incidents is poor access controls. That’s not going to change in 2020 or any time soon. Without clear visibility into risks, which can’t be achieved without the right technology, risks remain a major threat to the business.
Risks need to be identified by user, role and business process –at a glance. And it’s not enough to spot risks, they must be remediated promptly. Remediation advice should be a part of any access control solution.
In SAP, these risks exist now and will continue to grow as more and more companies migrate to S/4HANA and make use of SAP’s expanding cloud application ecosystem, which will call for not only access controls for SAP but also applications outside the digital core, such as SAP SuccessFactors, SAP Ariba, SAP Concur, etc.
As stated before, external risks aren’t the only ones organizations should focus on. Internal threats will become more commonplace as cyber criminals or employees continue to exploit weaknesses found within company systems. Internal security the last line of defense against fraud and internal breaches of company data. This year, be proactive about which strategies and tools you use for it.