Serco Group plc is a British outsourcing company with a global presence that serves national and local governments and leading companies.
By focusing on the needs of the people they serve, Serco enables its customers to deliver better outcomes. Its frontline delivery includes providing safe transport, finding sustainable jobs for the long-term unemployed, helping patients recover more quickly, improving the local environment, rehabilitating offenders, protecting borders and supporting the armed forces.
Serco also manages crucial business processes for both public and private sector organisations. This frees them to focus on their core operations, while delivering tangible benefits to their customers - from faster mortgage approvals to better online shopping.
Speaking withTurnkey helped open our eyes tot he area of cybersecurity within applications.”
— Gerald West
Challenge
Serco’s focus was to evaluate cyber threats across their entire infrastructure and prioritise their investment for remediation. They wanted to assess their SAP systems cyber-resilience as part of this broader cyber control programme to understand the risk position of their SAP system and to see whether or not it warranted an expedited outlay to address it.
“Our leadership team had prioritised controls and wanted to strengthen them across the board,” explains Gerald West, Head of Security and Controls Assurance at Serco. “One of the areas we were looking at was cyber security for the outer perimeter and traditional IT assets. We also needed to look at our application assets in with an initial focus on SAP, to understand the risks and whether we needed to look at application security as a priority.”
With a long-standing relationship in place, Serco turned to Turnkey Consulting for support. “The cyber piece is just one strand in a whole drive for us to strengthen our environment,” continues West. “We didn’t just need technical capable people focused on our systems. We wanted experts in security and controls who could bring together the three areas of business process, risk management and technical capability. Getting all three together is very difficult to find and our existing partners are not in a position to provide all three. We recognised the value of Turnkey in providing strong, senior experts who would come in, work with our colleagues and partners, drive the process and bring it all together.”
Solution
Turnkey performed a vulnerability assessment to evaluate the SAP vulnerabilities in relation to cyber risk. The assessment was carried out against 15 SAP systems, from core SAP ERP, HR, CRM, BW, SRM, Solution Manager, PI and Portal.
While the process could have been done manually, Turnkey used a tool from Onapsis suite to help expedite the assessment process, ultimately delivering cost savings for Serco.
The assessment was carried out against all core SAP systems across Serco, globally, which has in the region of 50,000 users.
Turnkey Consulting’s assessment evaluated the configuration and setup of Serco’s SAP environment, looking for known weaknesses and vulnerabilities. This focused on elements such as configuration, missing patching and inappropriate permissions. It provided a thorough assessment of the technical setup of the global SAP environment.
Supporting the process, Turnkey connected the Onapsis tool to the SAP systems in order to run automated tests. This delivered a report listing the number of issues found along with the severity of each issue and a related remediation activity.
Turnkey then assessed each risk and what it actually meant to Serco. This was then fed back into the broader programme to understand how and when the relevant resolutions and remediation should be carried out. During this process, they provided guidance and prioritisation on how to achieve resolution with in-house resource.
“The project delivered a great deal of really valuable information, categorised by the effort needed to remediate and the impact that remediation would have. It was a really effective way of prioritising,” highlights West. “A number of the issues were fairly high risk and some were new to us that we would not have picked up otherwise.
So far, we’ve addressed all low effort/high impact issues. The others we are looking to put into a wider programme of work and to get sponsorship to complete.”
Benefits
Clarity of immediate risks: The assessment provided Serco with confidence and comfort in understanding the current landscape, weaknesses in relation to cyber risk and a clear path of the effort and actions required to remediate them.
Broader risk understanding: The process also provided an understanding of the broader control environment in relation to cyber risk. Turnkey found areas of risk that had already been mitigated due to Serco’s comprehensive network design.
Stakeholder satisfaction: “The assessment has provided great feedback to the team and to our senior stakeholders,” says West. “From a benchmarking perspective we are in a better position than we thought compared to our peers. This is a great message for stakeholders to appreciate though we still have much work to do.”
Cyber threat visibility: “We now have the awareness and clarity around what our current exposure is from an application cyber threat vulnerability perspective,” highlights West.
Better understanding: “It’s been useful to learn about the vulnerabilities and what types of actions we can take to mitigate these risks,” continues West. “Understanding the cyber agenda is a useful, motivational driver to help keep systems safe. We now know that SAP cyber vulnerability is an area that we do need to consider.”
Summary
Now that Serco understands the risks and has mitigated the low effort/high risk items, they will be looking to consolidate the outstanding remediation actions into a project:
“Although our network security provides a strong defence for the SAP applications and has been seen as mitigation in its own right, there is still a desire to resolve the issues found. We are confident in the knowledge that we do have robust network security controls in place, meaning that the external threat is partly mitigated. We still need to address some application level vulnerabilities, which could be exploited e.g. by rogue internal administrators. The main body of remediation will be executed through a project that is currently in development.”
.png)
