The honest answer; probably not
While ERP’s like SAP provides your company with a powerful tool in order to increase your efficiency and productivity, they also serve as a potential playground for vicious cyber criminals looking to exploit loopholes in your systems.
According to an IDC survey of 430 IT decision-makers conducted by Onapsis, a significant 64 % have reported a breach in their ERP platform within the last 24 months. So, while you might not be able to fully prevent the attack from happening, you can most definitely take some security measures in order to protect your company and organization and minimize the damage from a possible cyber-attack.
What devastating effects can a cyber-attack have on your SAP platform?
- Sensitive information and data can be stolen and sold to third parties
- Present information and details can be modified
- Access can be gained to delete many major processes and data in the system
- Financial fraud can be carried out – with withdrawals of money and manipulation with bank accounts
- The whole system could potentially be disrupted and sabotaged
Basically, a cyber-attack can shut down a whole company or organization within a very short amount of time.
How can Segregation of Duties (SoD) minimize the damage from a potential cyber-attack?
To quote Jon Oltsik, Senior Principal Analyst and Fellow, from Enterprise Strategy Group (ESG) – “At least three US States will declare states of emergency due to waves of ransomware in 2020. Ransomware, which carried a price tag of over $10 billion this year in attacks, will continue to plague state and municipal agencies lacking appropriate skills, controls, and ransomware countermeasures. If that isn’t worrisome enough, we predict there’s a 20 percent chance this could escalate to a national level”
How can Segregation of Duties (SoD) minimize the damage from a potential cyber-attack?
While it is very difficult to prevent a cyber-attack, it is still possible to take certain security measures in order to keep the damage at a minimum. Many companies and organizations turn a blind eye to both access and internal control, leaving themselves vulnerable and not able to cope with the damage once it happens. Segregation of Duties is a process that is often neglected due to the perception that an SoD tool is complex, expensive, and has a long implementation time.
While some of the assumptions might be true, we usually ask our customers one question: how can you afford NOT to invest in an SoD tool? The numerous examples mentioned earlier are just the tip of the iceberg. If Segregation of Duties had been used in those examples prior to the cyber-attacks – then there is a possibility that the damage would have been less severe or maybe even completely avoided for the companies involved.
With an effective Segregation of Duties implementation and Access Control process – cybercriminals will not be able to execute the critical functions that make your IT systems and organizations vulnerable to cyber-attacks. Just a couple of examples of what Access Control and SoD can prevent:
- Less risk for financial fraud. Segregation of Duties ensures that no single SAP user can execute two critical financial functions at the same time. So if cybercriminals get access to an SAP user in your system – they might be able to change a bank account number, but they would not be allowed to withdraw money or post a customer payment to that account, and vice versa.
- Less risk for sensitive information and data getting stolen. With Segregation of Duties, you can restrict how much data and information an SAP user actually has access to. If, for example, a cybercriminal gets access to an SAP user in your organization, SoD ensures that this user does not have access to all critical data in the system. So while it is hard to prevent a single user from getting hacked – it is possible to restrict and limit the amount of data being stolen and misused.
- Almost no risk for your company or organization shutting completely down. Like in some of the prior examples in this article, Segregation of Duties would help by minimizing the risk of your SAP system getting locked, deleted, or shut down by cybercriminals. Furthermore, after a successful SoD implementation through Access Control, you can easily control and monitor which users have access to all the critical roles and transaction codes needed in order to completely shut down a system.
The benefits of Access Control and Segregation of Duties are numerous, and the need for both will only increase in the future as technology evolves and data slowly becomes the main “currency” in the world we live in.
Follow us on LinkedIn and get instant access to our latest articles and posts on SAP and compliance.
