In most complex systems, especially those like SAP that handle enormous amounts of transaction data, defining an approach to governance, risk and compliance (GRC) can feel overwhelming. But SAP GRC has never been more important. According to a new survey from ERP Maestro, “Studies indicate that data breaches were up by 44.7 percent in 2017 and nearly $2 billion [worth of] records containing personal and sensitive data were compromised.”

Unfortunately, organizations often presume that their SAP systems are more secure than they actually are; thus, they fail to adopt enterprise resource planning (ERP) security solutions despite the threats to the enterprise. In May 2018, America’s SAP Users’ Group (ASUG) conducted a survey of IT, security and audit professionals using SAP. The survey, sponsored by ERP Maestro, found that 82 percent of respondents reported their SAP systems have only minor vulnerabilities and generally good access controls.

Bridging the SAP GRC Awareness Gap

Despite this optimism, 80 percent of respondents in security or GRC roles said they were either extremely or very concerned with the level of security around their SAP data systems. That statistic suggests there is a disconnect when it comes to understanding how to improve GRC.

To explain what it means to achieve GRC in SAP, Jody Paterson, CEO of ERP Maestro, said, “What we find is that when organizations are implementing large, complex financial systems, the question of how to design these systems to reduce risk to the organization is an afterthought.”

One obstacle for many organizations is that not every aspect of implementation is defined by a blueprint. Many organizations end up scrambling or trying to ram in security so they can start using ERPs. The result is a mess of a security infrastructure, which ends up full of access risks.

Limiting Internal Access

Governance, risk and compliance extends well beyond SAP, and achieving GRC requires that organizations begin addressing the risk of fraud. “Seventy-five percent of all threats are insider attacks,” Paterson said. “The majority of fraud comes from internal actors. There is huge potential for fraud that results from a lack of internal controls around access to the systems.”

Considering that 5 percent of revenue is lost to fraud — and that most organizations don’t even know they are losing it — that’s pretty substantial. What often happens, Paterson said, is that companies end up overstating expenses because they have so much access. The result is a lower bottom line without knowing they are losing to fraud.

Identifying Enterprise Risk

“Pick the right solution. Get the right visibility and have well-defined rules,” Paterson advised. Perhaps a more important starting point is to first know what risks you should be looking at. While there are standard risks within systems, oftentimes the issue is that organizations don’t know if they are looking for the right risks.

Let’s use the example of two distinctly different companies — a pharmaceutical company and a beverage company. The pharmaceutical company cares much more about inventory than the beverage company. Why? Because for the beverage company to lose enough inventory to be material to finances, a criminal would need to roll in and ship out 10 truckloads of soft drinks.

For the beverage company, attention to inventory is lower, which means that the standard set of rules doesn’t work. “Rationalizing to make sure you are looking for the right things will help you set the rule books up,” Paterson said. Yet rules and risks spill off a huge amount of work, the results of which can often be astounding.

Getting Started

Achieving GRC starts with the upfront work of getting everything in line and setting a clean stage. But once you’re clean, how do you stay that way? Paterson offered these five tips for developing a successful SAP GRC strategy:

1. Establish Ongoing Controls

Use preventative controls and ongoing access analysis to maintain a continuous process. Implement periodic access reviews and controls around provisioning. Staying clean requires continuous compliance procedures. In addition, assess risks — which requires accurate visibility — and all possible scenarios that could occur in the event of a breach, then create well-defined rules based on industry best practices.

2. Communicate

It’s important to have GRC knowledge at every level of the organization, especially given the survey’s finding that a distinct disparity exists between the security concerns of executives and those of frontline IT and security employees. Only 25 percent of executives reported being either very or extremely concerned about security, compared with 80 percent of the latter.

3. Train

Communicating and training across the company is critical. Organizations need to train managers and employees on GRC so that all are aware of their part in achieving compliance. Given the increased risks that arise when security concerns aren’t taken seriously at the executive-level, organizations should seek outside counsel if help is needed to help increase understanding across the company.

4. Create a Strategy

The survey showed that a third of companies using SAP don’t have a GRC strategy in place, which is why it is critical to involve the C-suite as well as the frontline employees in developing a strategy. Then, keep both internal and external auditors informed of your strategy and of any changes.

5. Leverage Frameworks and Automation

To help map controls that are relevant to the business, leverage security and compliance frameworks like NIST, COBIT and ISO. Enforce compliance by conducting ongoing access reviews and automate these where possible. Automation reduces the GRC burden on both IT and audit teams.

It’s an unavoidable reality that GRC frameworks must be completely integrated into organizational structures and roles from the top down to be successful. Although establishing the most effective strategy is a steep uphill battle, once you reach the summit, it’s merely a matter of maintenance and continued education.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from Risk Management

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

GenAI: The next frontier in AI security threats

3 min read - Threat actors aren’t attacking generative AI (GenAI) at scale yet, but these AI security threats are coming. That prediction comes from the 2024 X-Force Threat Intelligence Index. Here’s a review of the threat intelligence types underpinning that report.Cyber criminals are shifting focusIncreased chatter in illicit markets and dark web forums is a sign of interest. X-Force hasn’t seen any AI-engineered campaigns yet. However, cyber criminals are actively exploring the topic. In 2023, X-Force found the terms “AI” and “GPT” mentioned…

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today