Light Dark
August 28, 2018 By Kacy Zurkus 4 min read
Risk Management
Fraud Protection
Identity & Access

In most complex systems, especially those like SAP that handle enormous amounts of transaction data, defining an approach to governance, risk and compliance (GRC) can feel overwhelming. But SAP GRC has never been more important. According to a new survey from ERP Maestro, “Studies indicate that data breaches were up by 44.7 percent in 2017 and nearly $2 billion [worth of] records containing personal and sensitive data were compromised.”

Unfortunately, organizations often presume that their SAP systems are more secure than they actually are; thus, they fail to adopt enterprise resource planning (ERP) security solutions despite the threats to the enterprise. In May 2018, America’s SAP Users’ Group (ASUG) conducted a survey of IT, security and audit professionals using SAP. The survey, sponsored by ERP Maestro, found that 82 percent of respondents reported their SAP systems have only minor vulnerabilities and generally good access controls.

Bridging the SAP GRC Awareness Gap

Despite this optimism, 80 percent of respondents in security or GRC roles said they were either extremely or very concerned with the level of security around their SAP data systems. That statistic suggests there is a disconnect when it comes to understanding how to improve GRC.

To explain what it means to achieve GRC in SAP, Jody Paterson, CEO of ERP Maestro, said, “What we find is that when organizations are implementing large, complex financial systems, the question of how to design these systems to reduce risk to the organization is an afterthought.”

One obstacle for many organizations is that not every aspect of implementation is defined by a blueprint. Many organizations end up scrambling or trying to ram in security so they can start using ERPs. The result is a mess of a security infrastructure, which ends up full of access risks.

Limiting Internal Access

Governance, risk and compliance extends well beyond SAP, and achieving GRC requires that organizations begin addressing the risk of fraud. “Seventy-five percent of all threats are insider attacks,” Paterson said. “The majority of fraud comes from internal actors. There is huge potential for fraud that results from a lack of internal controls around access to the systems.”

Considering that 5 percent of revenue is lost to fraud — and that most organizations don’t even know they are losing it — that’s pretty substantial. What often happens, Paterson said, is that companies end up overstating expenses because they have so much access. The result is a lower bottom line without knowing they are losing to fraud.

Identifying Enterprise Risk

“Pick the right solution. Get the right visibility and have well-defined rules,” Paterson advised. Perhaps a more important starting point is to first know what risks you should be looking at. While there are standard risks within systems, oftentimes the issue is that organizations don’t know if they are looking for the right risks.

Let’s use the example of two distinctly different companies — a pharmaceutical company and a beverage company. The pharmaceutical company cares much more about inventory than the beverage company. Why? Because for the beverage company to lose enough inventory to be material to finances, a criminal would need to roll in and ship out 10 truckloads of soft drinks.

For the beverage company, attention to inventory is lower, which means that the standard set of rules doesn’t work. “Rationalizing to make sure you are looking for the right things will help you set the rule books up,” Paterson said. Yet rules and risks spill off a huge amount of work, the results of which can often be astounding.

Getting Started

Achieving GRC starts with the upfront work of getting everything in line and setting a clean stage. But once you’re clean, how do you stay that way? Paterson offered these five tips for developing a successful SAP GRC strategy:

1. Establish Ongoing Controls

Use preventative controls and ongoing access analysis to maintain a continuous process. Implement periodic access reviews and controls around provisioning. Staying clean requires continuous compliance procedures. In addition, assess risks — which requires accurate visibility — and all possible scenarios that could occur in the event of a breach, then create well-defined rules based on industry best practices.

2. Communicate

It’s important to have GRC knowledge at every level of the organization, especially given the survey’s finding that a distinct disparity exists between the security concerns of executives and those of frontline IT and security employees. Only 25 percent of executives reported being either very or extremely concerned about security, compared with 80 percent of the latter.

3. Train

Communicating and training across the company is critical. Organizations need to train managers and employees on GRC so that all are aware of their part in achieving compliance. Given the increased risks that arise when security concerns aren’t taken seriously at the executive-level, organizations should seek outside counsel if help is needed to help increase understanding across the company.

4. Create a Strategy

The survey showed that a third of companies using SAP don’t have a GRC strategy in place, which is why it is critical to involve the C-suite as well as the frontline employees in developing a strategy. Then, keep both internal and external auditors informed of your strategy and of any changes.

5. Leverage Frameworks and Automation

To help map controls that are relevant to the business, leverage security and compliance frameworks like NIST, COBIT and ISO. Enforce compliance by conducting ongoing access reviews and automate these where possible. Automation reduces the GRC burden on both IT and audit teams.

It’s an unavoidable reality that GRC frameworks must be completely integrated into organizational structures and roles from the top down to be successful. Although establishing the most effective strategy is a steep uphill battle, once you reach the summit, it’s merely a matter of maintenance and continued education.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

 |  |  |  |  | 
Kacy Zurkus

More from Risk Management
July 25, 2024

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

July 24, 2024

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

July 10, 2024

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature