5 Steps to Secure ERP
ERP Security features |
1. Generating awareness and establishing strategy
Since hackers often enter the SAP systems without leaving any traces, according to a study by Accenture, it takes an average of up to 80 days for the attacks to be detected at all. Another 50 days will be needed to resolve an incident and close the vulnerability.
Read also about ERP:
- ERP on the way to the digital process and data hub
- 6 Signs that it’s time for an ERP change
- Does classic ERP still have a future?
2. Creating transparency on SAP risks
CIOs need comprehensive transparency to assess SAP security status. This transparency cannot be achieved with the widespread "Three Lines of Defense" model, which provides them with reports from three different departments.
- On the one hand, there are the reports from the SAP department, which usually do not include all security-relevant aspects. After all, which developer likes to admit to having produced faulty ABAP proprietary code and to be responsible for inadequate system settings?
- The second pillar, the IT security department, is usually unaware of the SAP risks, as it has no SAP knowledge. If something goes wrong in the SAP landscape, those responsible cannot correctly interpret the corresponding warnings from the IT control systems.
The IT managers are therefore well advised to provide themselves with transparency about the current SAP risks. A first step is an automatic vulnerability analysis that examines and evaluates customer code, system configurations, basic permissions and transport history. This allows vulnerabilities to be identified, eliminated and targeted measures to avoid future SAP vulnerabilities can be taken. It is important
- The third pillar - internal audit - has similar know-how deficits. Even if it often commissions external service providers to create SAP penetration tests, it simply forwards the results to the SAP department without understanding the actual problems.
that the security understanding gained in this way is shared by all areas in the company and does not end at departmental borders.
3. Mastering the tightrope rope between cost and safety
CIOs face the great challenge of finding a balance between cost and security. After all, they have long since ceased to be solely responsible for the IT infrastructure in the company, but must assume an ever greater strategic role in the course of digitization and act as a driver of value creation. They are increasingly measured by revenue growth and must ensure that their IT expenditures achieve a high return on investment (ROI).
You will find everything you need to know about SAP in our online special
At the same time, IT managers are increasingly forced to deal with the prevention of security threats. These risks are not only posed by external hackers - especially in the SAP environment, many attacks by the company’s own employees can be observed. If CIOs invest too little in a sustainable IT and SAP security strategy, this can cause devastating damage to their company.
In addition to the expenses for the detection and correction of attacks, the costs of industrial espionage, data manipulation and data theft, fines and system downtimes should be mentioned. At the same time, security incidents are often associated with high public image and trust losses.
4.Understanding legal provisions as an opportunity
Parallel to the cyber attacks on the SAP systems, the number of external compliance and security guidelines is growing. The EU General Data Protection Regulation (GDPR), which formulates strict rules on the processing of personal data, places special requirements on the CIOs. Its aim is to ensure the confidentiality and protection of data and to confer certain rights on data subjects. To this end, companies are required to manage data securely. For example, there must always be transparency about which data is stored where, by whom it is processed and in which way, and who bears responsibility in the event of data misuse.
What a Chief Information Security Officer (CISO) should know
But the EU GDPR also offers CIO the opportunity to work even more specifically on an effective IT and SAP security strategy. This is because it requires a variety of technical and organisational measures so that personal data can be prevented from being destroyed, altered or unauthorised disclosed or completely lost. If a company violates the GDPR, it faces draconian fines in addition to the financial and reputation damage, which can amount to up to four percent of the global annual turnover or up to 20 million euros.
5. Establishing automation as a patent recipe
Whether Internet of Things (IoT), digital transformation, cloud services or e-mobility: ERP attack areas are growing rapidly with these major future trends. Thus, the increasing networking causes, among other things, an increase in the interfaces that incidental stores can offer in the SAP systems. This makes it all the more urgent that the SAP security measures that a CIO decides on today are sustainable and include all areas relevant to security.
For this purpose, automatic analyses and evaluations of the individual test areas are advisable, since manual controls are much too complex and subject to high quality defects. In addition, continuous monitoring enables those responsible to receive and counter warnings promptly in the event of safety incidents.
Companies should incorporate appropriate tools into SAP development processes from the very beginning. This is particularly true of the DevOps concept, which combines continuous high throughput with agility and high quality standards. Secure DevOps is a new technical security approach that combines appropriate testing tools to meet security requirements throughout the entire SAP software lifecycle.