Marketing Communications Manager at ERP Maestro.
Access Controls: Is It Time for a Rethink?
Access controls: Who needs them?
Any public company using access controls for Segregation of Duties (SoD)or sensitive access would likely first focus on the need of access controls to meet SOX (Sarbanes-Oxley) compliance. Some form of controls and reviews of access are necessary to meet audit and SOX requirements and protect public company investors. However, as a result of implementing controls, these same companies have also benefitted from having an additional security measure to help prevent fraud, internal data breaches and employee mishaps. Having access controls in place was once an added perk of SOX compliance, but today it’s necessary for any holistic cybersecurity strategy –for both public and private companies.
Rethinking access controls for cybersecurity is something to consider as we move into the next decade. Digital transformation is prompting companies to invest in technology that will help them keep up with market demands, competitors, regulators and defend against cyber risks both inside and outside the organization. An access control solution that aligns with the end-goal of digital transformation will be able to accomplish multiple objectives: compliance, risk management and internal cybersecurity.
Access Controls and Internal Cybersecurity
As ERP systems become more complex and interconnected with other apps, they pose a larger risk for internal cyber threats to wreak havoc. Nearly 75 percent of security breaches are the result of insider threats, according to Clearswift Insider Threat Index report. In addition, research from this year found that 45 percent of employees would sell data to outsiders and that the most significant threats to exposure of sensitive or confidential data are employee mistakes. Both intentional and unintentional actions by employees are internal risks companies must take seriously as almost every employee has access to an ERP system or other business systems.
That is why rethinking access controls for internal cybersecurity, specifically securing ERP systems, makes sense. Beyond just compliance, access controls for the new digital age play a role in managing access risks across the enterprise, from one cloud application to the next. Since cloud-based ERPs and enterprise applications are becoming the norm, cloud-based access control solutions have followed suit. Long gone are the days of long implementations and large-scale projects. Cloud-based access control solutions enable quick and easy set-up and scale, increasing time-to-value as well as eliminating the need for maintenance and costly upgrades.
It’s important to note that access controls do not perform the same function as identity and access management (IAM) tools. A dedicated access control solution provides application-specific processes for managing controls with greater granularity. While IAM solutions operate at the role, person, or title level, access control solutions dive deeper into the permission details of the target ERP system. They complement each other rather than replace each other.