Cyber-security and the SAP Systems

Did you know that 35 to 40% of cyber-security breaches occur behind your firewall? The media likes to talk about the breaches that occur outside your network. The biggest threat is still internal; employees and partners who have access to sensitive data; customers, vendors, revenue, contact lists, and of course the ability to create or change bank account information.

How do you prevent this?

SOX compliance focuses on user roles. Segregation of Duties (SoD) prevents a single employee from perpetrating and covering errors or fraud on a single process such as vendor invoice payments.

But employees change jobs and roles. Over a 5-7 year period an employee could have three or four different job titles and corresponding user roles. Diligence is required as roles get added, existing roles reviewed and removed if not needed or violate SoD or governance rules.

Security reviews are always on the back burner, but that security review just might save the company from competitors when that employee leaves, removing security access they don’t need.  SAP offers numerous user role reports that show if someone has not used a transaction in the past 6 months.

Lack of understanding around roles and SoD drives many mistakes. When performing a review or audit, communicate with the responsible managers of the business; the manger knows what their employees need to perform their jobs.

On-boarding new employees is another area of risk. New employees are routinely given a PC with view access. While HR is locked down, do you restrict vendors, customers, or do they really need visibility of cash receipts, product equipment masters, and other confidential data?

Outside the firewall

Are Fiori and other mobile apps forcing you to rethink your security approach? SAP has historically been inside the firewall. Protect your network, and you protect SAP.  There are many products on the market to keep the network safe, but all the connections to other devices and applications causes concern and exposes risk.

Now, protecting the network is not enough; you must review and monitor the connections to the cloud, partners, 3rd party applications, and possibly more. There are tools to do this, but at the end of the day the connections need to be monitored with reports and notifications for activity that is outside the norm.

Education on security may be your biggest breach. Do you have a Security and Education Policy that the company follows?  The security policy ensures that user roles are routinely and randomly reviewed.

Do your employees know what to do in the event of a stolen phone, tablet or laptop? The education is needed to insure that managers are kept up to date on what is a threat, how is it perpetrated, and what is being done to mitigate the threat.

If you have gone mobile and have applications, do your employees with these apps have access to sensitive data?  If so, can you remotely wipe that phone, or tablet? We have all heard about the PC that goes missing with SS numbers, etc., but what about a phone with access to your sales data.

SAP has their own security patches that are updated and issued routinely.  So in your security policy what is your routine for applying these patches?  If you have many systems then it is most likely quarterly, but if you have an ECC and BI, then we would recommend monthly. Above all else always apply urgent security notes monthly.  Keep in mind even security programs like Snote has patches so always be monitoring SAP security notes on a daily basis, just take a quick look to see if there is anything new for your systems.  Even the SAP download manager has had some security notes that need to be applied.

SAP has multiple reports and tools to help with security, but they also have a product to monitor the systems for threats called Enterprise Threat Detection (ETD).  ETD is now on the second release with expanded functionality.  ETD allows for real time monitoring of all the systems including HANA along with non-SAP systems.  ETD is a complete product and this HANA article won’t go into the specifics, but in a nut shell ETD will flag activity that is outside the norm of your systems allowing your technical analysts to investigate what is causing the abnormal activity.

Hope this helps in getting your SAP systems more prepared for the attacks that will be coming and that you are ready to proactively work to limit your exposure.  Titan Consulting is here to help advise and secure your systems. We are just a phone call away, contact Warren Norris at 972.679.5183, or warren@titanconsulting.net or your Titan Sales Director.