I guess mom is always right: We should never trust a stranger. Unfortunately, most of us don’t heed this advice when exchanging sensitive personal data and interacting freely across wireless and digital communication channels. From stolen intellectual property and customer data to operation shutdowns that leave people vulnerable, news headlines are giving us every reason to reconsider our false sense of security in the digital technology we use.
In fact, the World Economic Forum's Global Risks Report 2018 ranks cyberattacks as the third-likeliest risk, behind data fraud and theft. And as digital strategies become more sophisticated with emerging technology, malicious actors are stepping up their efforts to extract as much value as possible away from brand reputations, consumer trust, public safety, and entire economies.
This isn’t a reality that companies should ever accept. During ASUG’s webcast Ten Best Practices to Mitigate Risk to Your SAP System, Justin Somaini, chief security officer at SAP, and Ming Chang, Americas’ regional lead for Cloud Information Security Awareness at SAP, shared which common mistakes needlessly increase cybersecurity risks and how organizations can combat them immediately.
Risks That Turn Your IT Landscape into a Hacker's Gold Mine
For years, IT security has earned a reputation for being costly and hampering operational progress. According to Justin Somaini, however, security is actually a deciding factor that can dictate the future success of every company.
After learning from decades of experiences in helping, supporting, and engaging customers to build their digital landscapes and advance their brands, Somaini shared the top security risks that first emerge during most implementations:
Risk 1: Limited configuration security: Primarily, the base configuration that companies implement lack encryption and proper hashing of passwords.
Risk 2: Little to no attention to patch management: This poor habit is particularly problematic when managing systems that are critical to core business systems.
Risk 3: Increased attack surface for remote function call (RFC) communication: Although RFC communication may have been set up to allow business systems to talk to each other, it is possible that access rights to the landscape may have become excessive over time and are performing with a limited scope.
Risk 4: Inconsistent encryption enablement: While most organizations focus on encryption within a system, it is equally important to address this level of enablement between systems. This includes consoles connecting back to the core business system.
Risk 5: Weakness in code security: All too often, user-developed code hasn’t been reviewed and analyzed to make sure that it is "vulnerability free."
Each one of these weaknesses can pose risks to connected systems that, although unintended, can counterproductively obscure any efforts in improving services, driving innovation, creating prosperity, and tackling some of the industry’s top priorities.
Top 10 Areas to Close Your Security Gaps
Although spending on business systems and data security is increasing, there’s a question of whether these investments are going far enough. Most companies choose to concentrate on traditional and converged IT infrastructure security, such as firewalls. Yet Ming Chang suggested that IT organizations must go even further.
Chang said that businesses can strengthen their cybersecurity capabilities by addressing 10 key focus areas:
Area 1: Network security: Define a network concept with clearly structured and different zones, separate high-security areas, and determine dedicated servers and administrative roles.
Area 2: Operating system and database security: Implement restrictive database-access mechanisms and dedicated security requirements for all operating systems.
Area 3: Front-end security: Deploy security configuration for both clients and mobile endpoints while activating administrator rules and access-control lists.
Area 4: Custom code security: Establish custom-code lifecycle management processes and use security source-code scanning tools to identify vulnerabilities hidden in programs.
Area 5: Secure maintenance of code: Update software regularly and review monthly Common Vulnerabilities and Exposures (CVE) disclosures to assess risks to the digital landscape.
Area 6: Secure configuration: Address all gaps in password security, authentication, data encryption, and communication connections.
Area 7: Communication security: Use encrypted communication such as secure sockets layer (SSL), transports layer security, or secure network communications. And secure RFC connectivity.
Area 8: Security audit log: Monitor all systems and activate the security audit log and filters for critical users.
Area 9: User authorizations: Build security awareness and clearly define and manage user authorizations.
Area 10: Emergency concept: Define emergency, backup, and disaster recovery concepts to ensure business continuity. Prepare end-to-end fallback systems for critical processes and applications.
By following these best practices, companies can better safeguard their digital systems, data, and customers from the perils of cyber threats. This natural progression from threat reaction to threat detection and prevention enables organizations to enhance not only the protection of applications, but also the overall performance of the business.
To get the full story on these 10 tips, listen to our recorded webcast, Ten Best Practices to Mitigate Risk to Your SAP System.