Light Dark
August 28, 2018 By Kacy Zurkus 4 min read
Risk Management
Fraud Protection
Identity & Access

In most complex systems, especially those like SAP that handle enormous amounts of transaction data, defining an approach to governance, risk and compliance (GRC) can feel overwhelming. But SAP GRC has never been more important. According to a new survey from ERP Maestro, “Studies indicate that data breaches were up by 44.7 percent in 2017 and nearly $2 billion [worth of] records containing personal and sensitive data were compromised.”

Unfortunately, organizations often presume that their SAP systems are more secure than they actually are; thus, they fail to adopt enterprise resource planning (ERP) security solutions despite the threats to the enterprise. In May 2018, America’s SAP Users’ Group (ASUG) conducted a survey of IT, security and audit professionals using SAP. The survey, sponsored by ERP Maestro, found that 82 percent of respondents reported their SAP systems have only minor vulnerabilities and generally good access controls.

Bridging the SAP GRC Awareness Gap

Despite this optimism, 80 percent of respondents in security or GRC roles said they were either extremely or very concerned with the level of security around their SAP data systems. That statistic suggests there is a disconnect when it comes to understanding how to improve GRC.

To explain what it means to achieve GRC in SAP, Jody Paterson, CEO of ERP Maestro, said, “What we find is that when organizations are implementing large, complex financial systems, the question of how to design these systems to reduce risk to the organization is an afterthought.”

One obstacle for many organizations is that not every aspect of implementation is defined by a blueprint. Many organizations end up scrambling or trying to ram in security so they can start using ERPs. The result is a mess of a security infrastructure, which ends up full of access risks.

Limiting Internal Access

Governance, risk and compliance extends well beyond SAP, and achieving GRC requires that organizations begin addressing the risk of fraud. “Seventy-five percent of all threats are insider attacks,” Paterson said. “The majority of fraud comes from internal actors. There is huge potential for fraud that results from a lack of internal controls around access to the systems.”

Considering that 5 percent of revenue is lost to fraud — and that most organizations don’t even know they are losing it — that’s pretty substantial. What often happens, Paterson said, is that companies end up overstating expenses because they have so much access. The result is a lower bottom line without knowing they are losing to fraud.

Identifying Enterprise Risk

“Pick the right solution. Get the right visibility and have well-defined rules,” Paterson advised. Perhaps a more important starting point is to first know what risks you should be looking at. While there are standard risks within systems, oftentimes the issue is that organizations don’t know if they are looking for the right risks.

Let’s use the example of two distinctly different companies — a pharmaceutical company and a beverage company. The pharmaceutical company cares much more about inventory than the beverage company. Why? Because for the beverage company to lose enough inventory to be material to finances, a criminal would need to roll in and ship out 10 truckloads of soft drinks.

For the beverage company, attention to inventory is lower, which means that the standard set of rules doesn’t work. “Rationalizing to make sure you are looking for the right things will help you set the rule books up,” Paterson said. Yet rules and risks spill off a huge amount of work, the results of which can often be astounding.

Getting Started

Achieving GRC starts with the upfront work of getting everything in line and setting a clean stage. But once you’re clean, how do you stay that way? Paterson offered these five tips for developing a successful SAP GRC strategy:

1. Establish Ongoing Controls

Use preventative controls and ongoing access analysis to maintain a continuous process. Implement periodic access reviews and controls around provisioning. Staying clean requires continuous compliance procedures. In addition, assess risks — which requires accurate visibility — and all possible scenarios that could occur in the event of a breach, then create well-defined rules based on industry best practices.

2. Communicate

It’s important to have GRC knowledge at every level of the organization, especially given the survey’s finding that a distinct disparity exists between the security concerns of executives and those of frontline IT and security employees. Only 25 percent of executives reported being either very or extremely concerned about security, compared with 80 percent of the latter.

3. Train

Communicating and training across the company is critical. Organizations need to train managers and employees on GRC so that all are aware of their part in achieving compliance. Given the increased risks that arise when security concerns aren’t taken seriously at the executive-level, organizations should seek outside counsel if help is needed to help increase understanding across the company.

4. Create a Strategy

The survey showed that a third of companies using SAP don’t have a GRC strategy in place, which is why it is critical to involve the C-suite as well as the frontline employees in developing a strategy. Then, keep both internal and external auditors informed of your strategy and of any changes.

5. Leverage Frameworks and Automation

To help map controls that are relevant to the business, leverage security and compliance frameworks like NIST, COBIT and ISO. Enforce compliance by conducting ongoing access reviews and automate these where possible. Automation reduces the GRC burden on both IT and audit teams.

It’s an unavoidable reality that GRC frameworks must be completely integrated into organizational structures and roles from the top down to be successful. Although establishing the most effective strategy is a steep uphill battle, once you reach the summit, it’s merely a matter of maintenance and continued education.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

 |  |  |  |  | 
Kacy Zurkus

More from Risk Management
April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature