In most complex systems, especially those like SAP that handle enormous amounts of transaction data, defining an approach to governance, risk and compliance (GRC) can feel overwhelming. But SAP GRC has never been more important. According to a new survey from ERP Maestro, “Studies indicate that data breaches were up by 44.7 percent in 2017 and nearly $2 billion [worth of] records containing personal and sensitive data were compromised.”

Unfortunately, organizations often presume that their SAP systems are more secure than they actually are; thus, they fail to adopt enterprise resource planning (ERP) security solutions despite the threats to the enterprise. In May 2018, America’s SAP Users’ Group (ASUG) conducted a survey of IT, security and audit professionals using SAP. The survey, sponsored by ERP Maestro, found that 82 percent of respondents reported their SAP systems have only minor vulnerabilities and generally good access controls.

Bridging the SAP GRC Awareness Gap

Despite this optimism, 80 percent of respondents in security or GRC roles said they were either extremely or very concerned with the level of security around their SAP data systems. That statistic suggests there is a disconnect when it comes to understanding how to improve GRC.

To explain what it means to achieve GRC in SAP, Jody Paterson, CEO of ERP Maestro, said, “What we find is that when organizations are implementing large, complex financial systems, the question of how to design these systems to reduce risk to the organization is an afterthought.”

One obstacle for many organizations is that not every aspect of implementation is defined by a blueprint. Many organizations end up scrambling or trying to ram in security so they can start using ERPs. The result is a mess of a security infrastructure, which ends up full of access risks.

Limiting Internal Access

Governance, risk and compliance extends well beyond SAP, and achieving GRC requires that organizations begin addressing the risk of fraud. “Seventy-five percent of all threats are insider attacks,” Paterson said. “The majority of fraud comes from internal actors. There is huge potential for fraud that results from a lack of internal controls around access to the systems.”

Considering that 5 percent of revenue is lost to fraud — and that most organizations don’t even know they are losing it — that’s pretty substantial. What often happens, Paterson said, is that companies end up overstating expenses because they have so much access. The result is a lower bottom line without knowing they are losing to fraud.

Identifying Enterprise Risk

“Pick the right solution. Get the right visibility and have well-defined rules,” Paterson advised. Perhaps a more important starting point is to first know what risks you should be looking at. While there are standard risks within systems, oftentimes the issue is that organizations don’t know if they are looking for the right risks.

Let’s use the example of two distinctly different companies — a pharmaceutical company and a beverage company. The pharmaceutical company cares much more about inventory than the beverage company. Why? Because for the beverage company to lose enough inventory to be material to finances, a criminal would need to roll in and ship out 10 truckloads of soft drinks.

For the beverage company, attention to inventory is lower, which means that the standard set of rules doesn’t work. “Rationalizing to make sure you are looking for the right things will help you set the rule books up,” Paterson said. Yet rules and risks spill off a huge amount of work, the results of which can often be astounding.

Getting Started

Achieving GRC starts with the upfront work of getting everything in line and setting a clean stage. But once you’re clean, how do you stay that way? Paterson offered these five tips for developing a successful SAP GRC strategy:

1. Establish Ongoing Controls

Use preventative controls and ongoing access analysis to maintain a continuous process. Implement periodic access reviews and controls around provisioning. Staying clean requires continuous compliance procedures. In addition, assess risks — which requires accurate visibility — and all possible scenarios that could occur in the event of a breach, then create well-defined rules based on industry best practices.

2. Communicate

It’s important to have GRC knowledge at every level of the organization, especially given the survey’s finding that a distinct disparity exists between the security concerns of executives and those of frontline IT and security employees. Only 25 percent of executives reported being either very or extremely concerned about security, compared with 80 percent of the latter.

3. Train

Communicating and training across the company is critical. Organizations need to train managers and employees on GRC so that all are aware of their part in achieving compliance. Given the increased risks that arise when security concerns aren’t taken seriously at the executive-level, organizations should seek outside counsel if help is needed to help increase understanding across the company.

4. Create a Strategy

The survey showed that a third of companies using SAP don’t have a GRC strategy in place, which is why it is critical to involve the C-suite as well as the frontline employees in developing a strategy. Then, keep both internal and external auditors informed of your strategy and of any changes.

5. Leverage Frameworks and Automation

To help map controls that are relevant to the business, leverage security and compliance frameworks like NIST, COBIT and ISO. Enforce compliance by conducting ongoing access reviews and automate these where possible. Automation reduces the GRC burden on both IT and audit teams.

It’s an unavoidable reality that GRC frameworks must be completely integrated into organizational structures and roles from the top down to be successful. Although establishing the most effective strategy is a steep uphill battle, once you reach the summit, it’s merely a matter of maintenance and continued education.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from Risk Management

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today