Wake-up Call for Enterprise Resource Planning Users
A MAJOR INSIDER SECURITY THREAT STEMS FROM THE COMPLEXITY OF ERPS AND COMPLICATED SYSTEM SECURITY
by Jody Paterson, CEO, ERP Maestro
Published in Cyber Defense Magazine
Cybercrime has become a top concern for the contemporary world. To protect themselves, many organizations have stockpiled solutions against outside attacks— while ignoring the more ominous threats right under their noses. According to IBM’s 2016 Cyber Security Index, 60 percent of cybersecurity breaches come not from an unknown outsider, but from the inside—at the hands of employees. Other sources cite higher numbers upwards of 75 percent. In Cyber Insider’s 2018 Insider Threat Report, 90 percent of security professionals reported feeling vulnerable to insider threats. Some attacks are malicious, with disgruntled workers taking revenge by disabling systems, committing fraud to embezzle money, or profiting by selling company or client data on the dark web. Many other breaches happen inadvertently, the result of worker error or inappropriate permission rights to information. As a growing number of organizations use enterprise resource planning (ERP) solutions to manage their core business processes, they also have to safeguard against vulnerabilities that can come with ERP use. ERP systems, which provide a unified platform for accounting, human resources, purchasing, sales, and other departments, help businesses run more efficiently. The danger lies in the complexity of the systems, too much internal access to sensitive data and weak controls. Since attention to internal cybersecurity has lagged behind the emphasis on external threats, companies have only begun to take internal risks more seriously. Increasing education and developing prevention programs are key components in correcting the inequity between the two.
A WAKE-UP CALL
Shockingly, there are companies that never analyze the permissions assigned to their ERP users. One reason for this is a tendency for companies to be reactive rather than proactive when it comes to internal risks, waiting until a costly or critical breach occurs instead of preventing incidents to begin with.
Conversely, all businesses understand the urgency in having a security system to prevent physical intrusion into facilities and to thwart external hacks into systems. They don’t wait until a break in or breach takes place to protect valuable assets. And yet, “privilege creep,” in which an employee may gain increasing access as their roles and permissions change—even beyond what they need or should have—happens all of the time if not monitored. Another common problem is granting privileges that mirror existing user access when onboarding new users. Over time, a company can create their own worst permission-bloat nightmare. Without regularly evaluating their ERP access and security, enterprises leave themselves incredibly exposed to inside cyber hazards.
PREVENTION IS MORE THAN JUST AN OPTION
There are steps an organization can take to guard against insider attacks, even of sensitive ERP systems. The first step is to acknowledge the problem and take internal threats seriously. Even small enterprises where “everybody knows your name,” can be vulnerable—particularly so, if the intimate atmosphere creates a sense of complacency. Secondly, prevention has to move to the forefront of internal cybersecurity. Once a company has acknowledged the real possibility of employee-based access violations, take steps to:
• Safeguard against mishaps and insider fraud with tight and agile controls. Double check who has access to what to avoid “privilege creep,” making sure that each employee has only the access they need to perform their job. This important precaution is often overlooked—but it’s the authorized access, not the unauthorized, that so often gets organizations in trouble. It’s a daunting task to do manually, but it must be done if an automated solution is not in place.
• Understand the most common segregation of duties (SoD) conflicts. Is it possible for a single person to access all the processes involved in doing business in your organization? This end-to-end access is the linchpin of a security crisis. Analyze your SoD policies and procedures and redefine them where needed, then audit them continuously to ensure that they are being followed and are working.
• Educate users on security protocols. How security-aware are your employees? Your executives? Everyone in the organization, regardless of role, needs thorough training and regular refreshers on secure password protocols and proper use of ERP systems.
• Review your sensitive access monitoring controls at least once a year. Even the strictest controls can have “cracks.” Checking for them, and for suspicious behaviors, is key to prevention and early detection of insider breaches. Have a system in place to continually monitor privileged users’ activities—and to alert you to attacks. Track changes to critical data, as well, and set up audit trails on important transactions.
THE BIGGEST THREAT OF ALL
In the increasingly fast-paced world of business with global employees and many points of access in extremely large organizations, monitoring ERPs for internal security breaches isn’t a nice-to-have option. It’s a must-have. When it comes to ERP security, the devil is in the details—often, in the ones you can’t see due to lack of attention on them or tools to simplify spotting them. The biggest risk to any enterprise’s security comes not from employee actions, but organizational inaction: the failure to act until after a breach occurs.
About the Author
Jody Paterson is the CEO of ERP Maestro. He is a security evangelist, thought leader, speaker and KPMG veteran who is committed to creating smarter ways to keep companies secure on the inside and ease the burden of managing, monitoring and auditing access to critical business systems. Jody can be reached online at firstname.lastname@example.org and at our company website https://www.erpmaestro.com