A recent Strategic CFO Webinar covered the topic of “Managing Cyber Risk For Your Most Critical Resources.” This blog is an extract of the discussion. To hear the full Webinar, please click here.
ERP systems have grown over the years. They are no longer systems of record. For many organizations, they are now the backbone and enabler of open and connected commerce.
As a result, according to Michael Holland, Deloitte UK SAP security executive, this makes them vulnerable. “ERP systems have lots of information and resources within them. The extent to which that could be exploited is not well understood by executives.”
At the same time, technology defenses are being eroded by the way people access information and systems, as well as the many channels customers, partners, and employees use to communicate, which can expose them to greater risks of being breached.
That’s why Holland thinks finance executives need to be fully involved in cybersecurity. “Finance executives understand the language of risk management and excel at it, which is why I believe they ought to be influencing security strategies.”
It’s not just risk management that finance executives understand. It’s also return on investment. Cybercrime certainly has a very good return on the investments criminals make. But so does an organization’s security strategy. “Finance executives can help organizations evaluate and quantify the risks to ERP security in order to understand what they need to do,” says Holland.
The fact is that ERP systems that have grown organically—or through mergers and acquisitions—are unlikely to be secure. So Holland advises companies to “look at vulnerability assessments and threat detection to start addressing how you can manage the security of your complete ecosystem.” From his point of view, the key point is that organizations must move to a continuous state of vulnerability assessment.
Dr. Neil Patrick, director CoE GRC (EMEA) at SAP, agreed that the digital world is a game-changer when it comes to cybersecurity. “There is no concept of a boundary any more, where the outsiders can be held at bay and the insiders kept safe.”
To prove his point, Patrick quoted Rod Beckstrom, author and ex-president of ICANN and the National Cybersecurity Center. “There are three laws for the connectivity of things. Law 1: Everything that is connected to the Internet can be hacked. Law 2: Everything is being connected to the Internet. Law 3: Everything else follows from the first two laws.”
So what can be done when it’s almost a given that the external layers of an organization’s defenses will be breached at some point? According to Patrick, companies need three capabilities. First, recognizing that cyber criminals are going after the crown jewels in enterprise applications, they need the capability to analyze application logs to pinpoint activities not visible or understandable in other analyses.
Second, they need to be able to understand events that are happening across systems and logs in context. Third is the capability to process huge amounts of data in real time to identify suspicious behavior – for example, an employee that is repeatedly transferring huge amounts of data out of business hours or an apparently legitimate login that doesn’t have an HR record associated with it.
Bringing the discussion to a conclusion, Patrick observed that effective cybersecurity cannot be delivered by a single tool. Instead it requires an integrated set of solutions that includes risk management, access control, threat detection, fraud management, process control, code vulnerability analysis, and cyber-regulation management.
To hear the complete Webinar, and to get more recommendations about securing your enterprise applications, click here.