SAP security teams face a growing set of challenges in safeguarding their SAP systems. Heightened enterprise risk (such as the rising threat of cyber attacks and data protection regulation), and the growing complexity of the SAP environment, are conspiring to create a widening capability gap in many companies.Broadly, there are three main challenges those responsible for SAP security and controls must overcome to bridge this chasm.
The first is a straight-forward lack of resource. Financial constraints are forcing some SAP security teams to do more with less, which results in an inefficient security design and very limited time to manage risk and compliance properly. Such a shortfall in resource prevents organisations from proactively mitigating risk events.
Under-resourced teams are normally focused on reactive measures to manage known risks, often using manual processes. And this is directly linked to the second challenge – a lack of effectiveness – that sees teams running fragmented, costly and ineffective processes, mostly in the absence of a robust control framework (Segregation of Duties matrix). SAP controls are therefore poorly set-up or out-of-date and visibility into an organisation’s risk and compliance status is severely restricted.
A lack of engagement is arguably the issue that most impacts SAP security and governance, risk and compliance (GRC) practitioners, as well as the wider organisation. Inconsistent board-level support and funding often leads to a ‘stop-start’ approach to improving SAP security and controls practices.
Without true alignment, risk and compliance processes are also rarely standardised nor embedded within the business, and key decisions are often made without accurate risk insights.
A business falling short in any of these areas is almost certainly carrying a high-level of risk, as well as incurring excessive hidden costs. The combination of these three factors often means risks aren’t spotted until external auditors find them, creating a continuous cycle of wasted time and expense.
Higher stakes, bigger risks, greater complexity
The average cost of a singular data breach to a global business is circa $3.8m, according to The Ponemon Institute 2016. With statistics like this one, it’s easy to understand why executive boards are losing sleep over their organisation’s potential exposure.
According to a report by Onapsis in 2015, 95% of SAP systems assessed by them were exposed to vulnerabilities, which would enable cyber attackers to take control of the businesses that depend on them. While many refuted this claim, understandably their report led to a wave of concern.
It is a common myth that the SAP platform can only be breached internally or through an attack from a highly sophisticated cyber criminal.
In reality, there are no such things as internal networks anymore - perimeters have disappeared with most SAP systems now directly connected to the Web (via apps, mobile, Software-as-a-Service etc). And with increased social engineering attempts, more employees are being manipulated into divulging confidential or personal information for fraudulent purposes.
Recent reports also suggest a greater proliferation of cyber attacks than ever before, and SAP research shows 65% of companies are experiencing more Advanced Persistent Threats (APT) and targeted attacks on their businesses.
Further compounding this risk is the evolving complexity of the SAP landscape itself. With each SAP roll out, upgrade, additional application or custom development, a system becomes more difficult to manage - with issues caused by:
- Legacy SAP systems that have not been properly migrated to ECC 6.0
- The volume of legacy interfaces resulting from M&A activity
- A mix of manual and automated processes resulting from M&A activity
- Global SAP footprints vs local configuration, interfaces and custom ABAP
- Increased SAP functionality – HCM, CRM, BI, Mobile & custom apps
- The creation of hybrid environments using cloud-based applications
- Integration with SAP HANA & S/4 HANA environments
Even in well-resourced enterprises, such complexities are leading to a significant capability gap - a major concern given how critical the security of the ERP system is to a business.
Onapsis refer to a Chief Information Security Officer (CISO) from a Fortune 100 Food & Beverage company who estimated that if the organisation’s SAP system were to be taken offline, it would cost the business $22,000,000 per minute. High stakes indeed.
Addressing the capability gap
With the possibility of a major risk event at an all-time high, a timely shift is required in order for some GRC and SAP security practitioners to fill the void.
The starting point is to acknowledge that the key requirements of an SAP security team just a few years ago, are some way behind what is needed today. Where previously the primary focus was on securing SAP systems through Segregation of Duties (SoD) controls, a more integrated and wholistic approach to risk management is now called for.
Critical components of an integrated risk management operation are continuous real-time monitoring and reporting. In many cases, historic risk reporting has been static and largely based on limited data or practitioner knowledge, both of which leaves information open to interpretation. This is no longer enough.
Continuous controls monitoring provides 100% risk and compliance visibility into all SAP system transactions, rather than a manual approach that can only cope with a random sample of transactions at any time.
This is just one of many capabilities needed for an efficient and effective risk management programme. As the toolset and skills needed to make it happen continue to expand, many SAP leaders are now questioning whether a ‘do-it-yourself’ approach to SAP GRC is a sustainable long-term strategy.
Implementing SAP GRC functionality and handing over the routine SAP system development and IT maintenance activities to an experienced support partner, can alleviate much of the burden. It can certainly overcome the lack of resources challenge, enabling internal SAP security teams to focus on increasing effectiveness and alignment with the business.
Beyond that, the majority of companies have traditionally rejected 3rd party process support for SAP GRC. The biggest concern most often being a fear of losing visibility of the risks. Yet, when done collaboratively with the right analytical framework in place, access to an organisation’s risk and compliance status can be viewed at any time – no matter who is managing the process.
Further, if the DIY approach only provides a partial view of an organisation’s risk position anyway, then there is much more to gain from an end-to-end solution.
Is it time you reconsidered your approach?