Perhaps you've seen this puzzle recently as it's been making its rounds on the internet. If not, take a look. Can you solve it by identifying the murderer? Is it the man in the blue shirt? The man in the orange shirt just outside the bathroom door? Could it be the woman? The man in the red shirt? Or, finally, is it the waiter?
If you are like many others who've donned their thinking caps you should be able to deduce the answer fairly quickly (if it's not as clear yet, read on until the end for the answer.) As it so happens, many parallels can be drawn between this popular puzzle and a real-life IT scenario. By parallels we don't mean anything morbid or macabre like murder - we are referring instead to the mystery of cybersecurity threats that start within your company's own walls.
With 2017 being the year of breaches (almost 50 data breaches reported during the year), it is no surprise that data security will rise to be a key focus for companies through 2018. It is interesting to note, however, that not all of these crimes are the result of malevolent, seasoned hackers; a whopping 60% of these was the work of insiders who unknowingly or intentionally committed an act that led to a breach. Here are some more facts on internal threats in cybersecurity.
Are you able to solve the puzzle of internal cybersecurity within your organization?
For most, it is challenging to pick out the perpetrator, especially because most breaches or mishaps happen due to improper access to business systems, such as enterprise resource planning (ERP)systems, which are particularly complicated technology environments. And most access violations are innocent human mistakes. Regardless of the intention, the global average cost of a data breach is $3.63M, and that is a number to be reckoned with.
In all the reports of internal threats in the recent months, there has been one primary culprit – weak internal controls around access to programs and data. Is your organization susceptible to threats due to this type of weakness? If you're not sure, there are definite clues to watch out for.
Clue #1: Undefined risks and control matrices as it relates to access
Are your risks being defined based on the specific type of business or is a one-size-fits-all approach being used? If the latter, then there is a higher risk factor associated and it is imperative to understand the specific risks as they apply to the specific industry, define them, and continue to monitor them through an effective risk assessment process.
Clue #2: Flawed role design
Are you regularly monitoring your SAP role structure to ensure an effective role design? With time, job role changes, there is employee turnover, and roles that are not updated will become "bloated", and will eventually affect the integrity and intended security of the role design. It is important to keep the role design as simple as possible to facilitate ongoing maintenance. Complex role structures not only require more hours and manual intervention by security administrators to process any new requests for access, but also pose a greater threat of new risks being added to the system.
Clue #3: Ineffective provisioning process
Do you suspect you have an ineffective user provisioning process? If you are, you may be experiencing some of the issues below:
1. Lack of approvals for provisioning requests (new users and change of users)
2. Terminated users who still have access or users who have their access compounded as they changed positions
3. Circumventing a long process (sometimes the bane of productivity) could lead to sharing of passwords, or other quick fix solutions that leave the data unprotected and exposed
4. Lack of visibility to predict if new risks are being created
Clue #4: Too much use of SAP-ALL
Do you have employees with complete or significant amounts of access to all of a financial system? A powerful administrator can literally get away with a crime, as they have the power to do anything and remove all trace of their actions. It is crucial to implement processes and procedures for the management of super user access.
Clue #5: Gaps between business and IT
Is there a siloed communication structure when it comes to who should have access to what within your organization? Typically, managers or business process owners know their functions well enough to give this direction to IT but may assume that "IT has it covered". Conversely, IT has the capability to make whatever changes to access needed in the system, but really doesn't have it covered because they lack the business context to understand where the risks are in the first place. Talk about wires crossing! The big question here is this: who owns the risk? Ensure that the business is bought in and holds a stake in securing the company's systems and data-only then, when the business and IT jointly own the risk, can the issue of preventing internal breaches be effectively solved.
If you have been a witness to any of the scenarios above, it is time to seriously consider automating access controls in SAP. To hear more about common SAP security risks, take a listen to this on-demand webinar or visit us at SAP Sapphire Now 2018 booth #1226 where you can see a LIVE demo on how to solve this puzzle.
Now, here's the answer to the puzzle you've been waiting for. . . the murderer in the internet puzzle at the beginning of the post is the woman! Why? Because she is the only one with "access" to the ladies' room!