SAP Security – The New Normal – Dealing with the Internal Threat of Working from Home

By Dudley Cartwright, CEO of Soterion, an SAP Governance, Risk and Compliance security solutions provider

Stephen McBride, Forbes Magazine contributor and editor of RiskHedge Report, predicts in his article that the largest cyberattack in history is likely to occur in the next six months, with the coronavirus laying the groundwork.

McBride explains that the more devices connected to a network, the larger the number of entry points, making it easier for hackers to access. With so many people working from home, firms had only days to cobble up remote work plans. System security planning often did not include planning around masses of remote workers, or the use of less secure home internet connections. Hackers only need to gain entry through one single unsecure point.

Hackers broke into the networks of America’s largest defense contractor, Lockheed Martin, by targeting remote workers. If they can infiltrate this system, you best believe remote workers with little security are easy pickings, he adds.

In the past couple of months, hackers have targeted the US Department of Health. And attacks against the World Health Organisation have more than doubled.

Cyber intelligence firm CYFIRMA revealed cyberthreats related to coronavirus shot up 600% from February to March. It’s only a matter of time before we hear about a major cyber breach, he says.

In his recent article Reza Rassuli, SDA Inc. CEO and SAP technical advisor mentions five key cyber threats that enterprises using SAP need to take seriously and should watch out for in 2020. These are social engineering attacks, IoT-based attacks, ransomware attacks, internal threats, and state-sponsored attacks. He advises SAP users to place emphasis on detecting threats in real-time or ahead of time before it is too late.

SAP themselves, in a recent Covid-19 response article, stress that enhanced cybersecurity is critical while the World Economic Forum has warned that cybercriminals have escalated their efforts to capitalise on the unfolding tragedy of Covid-19.

In this article, we focus on a number of security activities that an organisation should consider to minimise the risk of the internal threat associated with remote working.

The ‘new normal’ high-security risk of working from home should therefore be changing the way organisations view security.

There is a significant difference between accessing the SAP system from the office and from home and therefore opens the door to vulnerabilities. Coupled with the increased likelihood of a breach (external), work from home is therefore likely to also increase the chance of a data leak (internal).

Some questions do arise. Will work-from-home change user behaviour? Without having a supervisor or work colleagues looking over one’s shoulder, will this lead to a change in user behaviour where users ‘explore’ what they have access to in the system? Are users going to be more likely to download data onto a memory stick if there is no one around to see?

It is fair to say that when employees are not in the office environment, many of them are likely to behave slightly differently. Remote working will be the catalyst for organisations to embark on SAP security activities that security professionals have been advocating for many years.

Five SAP security activities that organisations should place more importance on in this new era of remote working:

1.  Appropriate user access: 
Numerous organisations have outdated SAP role designs, where users have been assigned inappropriate access over the years in relation to their actual job function. To minimise the risk of both a breach and leak, it is imperative that organisations follow a ‘zero-trust’ approach and ensure that users are assigned appropriate access.

2. Rule set customisation:
Many organisations that implement an access risk solution make use of the standard rule set with minimal or no customisation. This is necessary to ensure the rule set addresses relevant risks in their organisation. For those organisations that do go through a rule set customisation project, many do not review (edit/update/adjust) the rule set again after the initial project. With the increased risk caused by remote working, organisations should place more emphasis on customising the standard rule set to ensure that the rule set covers risks applicable to their organisation, including data privacy risks.

3. Business Accountability of risk:
Organisations struggle with business buy-in and a lack of accountability in access risk from the business. This is often caused by a lack of understanding of the risks and their impact on the organisation should it occur. When the business does not understand the risks and the impact, the granting and approving of inappropriate access is likely to occur.

4. User Access Reviews:
The User Access review process requires businesses to review all users’ SAP access on a periodic basis. Most organisations perform this on an annual basis. With the increase in risk caused by remote working, ensuring users are assigned appropriate access must be done on a more regular basis. Many organisations will need to start performing periodic user access reviews, and the frequency of the reviews is likely to increase to be done bi-annually or even quarterly.

5. Activate Logging:
There are many different types of logging available in SAP that can provide useful information. Numerous organisations do not activate them due to performance or space concerns. With the increased risk of remote working, it is critical that certain categories of logging are activated.

Besides the basic SM20 filters of transaction start, it is advisable to activate other filters such as generic access to tables (CUZ and DU9) or RFC calls accessing data in SAP. With data privacy becoming more topical because of legislation such as GDPR, CCPA and POPIA, having the ability to identify who has displayed this data becomes crucial and the logging of this information can be configured by using the Read Access Logging (RAL) functionality in SAP.

If you’d like to know how Soterion can assist you with managing SAP security issues discussed in this article please email [email protected]. We look forward to assisting you.

Read more about our offeringsSoterion’s GRC modules include Access Risk ManagerBasis Review ManagerElevated Rights ManagerPeriodic Review Manager, Password Self-Service and SAP Licensing Manager.

You may find this interesting