Our most recent blog on GDPR was one of our most popular to date. In the post, we explored what these impending changes mean and unpacked the business implications of these updated rules and requirements for protecting the data of your customers from the European Union.
The next logical question for SAP Business One customers is, "How do I make sure that my SAP Business One deployment is protected against unauthorized access, both benign and malicious?" The answer to that question is not only technical, but also tied to your business processes and company culture.
The Technical Aspects of Data Protection
In many respects, this is the easiest part of data protection to address, as there are well-defined best practices to follow when using Microsoft SQL Server or SAP HANA. In fact, across almost every aspect of information technology, these best practices begin with two primary rules:
- Always apply the latest security patches and system updates. Do not ignore those "annoying" reminders—you'll wish you hadn't when you are hit with a malware, ransomware, or security attack.
- Ensure you are running anti-malware, spyware, and virus-protection software and that it has up-to-date detection signatures.
Next, the challenge with your deployment is balancing security needs against staff access and ease of use for your end users. This balancing act can be particularly challenging when it comes to passwords.
Passwords – Part One
Passwords should be eight characters, at minimum. They should also include a mix of upper and lower case letters, as well as numbers and non alpha-numeric characters (#@!%&, etc.). You should also require passwords to be changed every 90 days and not allow reuse of the most recent three.
SAP Business One Cloud makes this easier to manage as it supports Single Sign On, also known as SSO, as does switching on Domain Authentication in SAP Business One—this ties the password to the Windows user name and password—and setting these password rules via Windows Group and Security Policies is much easier to manage.
If you are not using SAP Business One Cloud or have not switched on the option for Windows Authentication, you can still control SAP Business One password policies via the Setup | General | Security | Password Administration option.
As a side tip: If you can, deploy a self-service tool that securely allows users to reset their own lost passwords, otherwise you will be forever changing passwords for your users.
Encryption
The second area to focus on is encryption, ensuring that all data traffic where customer information and passwords are transmitted is secured and encrypted. With so much usage of the web and web applications to share and transfer data, you will need to encrypt all your web pages with SSL Certificates.
I covered this process a few months back, in a blog on securing your SAP Business One infrastructure with SSL Certificates . In short, you obtain a wildcard SSL Certificate that can then be used with SAP HANA, B1i, the SAP Business One Web Client, as well as SQL Server.
You can even go to two-factor authentication: a combination of a user name and a single-use code generated with an application, via an SMS message or via a tag, that generates a new code every 60 seconds.
Firewalls and TCP/IP Ports
Finally, you can also look at changing the ports that your applications communicate over. SQL Server uses port 1433, but it can be changed to another port of your choosing; this is about reducing the application "surface area" where your data can be attacked.
As a rule, you need to look at how much of a target your business is based on your profile and secure accordingly. For smaller businesses, the complexity of all this can be challenging, hence why so many businesses are now moving to the cloud where all these options are available as standard components.
Culture and Business Process
After the technical aspects, we are left with what is often the weakest link in any security; unfortunately, that's you and I—people.
Studies have shown that the majority of major security breaches are the result of a failure to adequately educate people inside organizations about the right and wrong ways of protecting data and security.
Passwords – Part Two
Let's revisit passwords one more time.
There is no one more observant about maintaining password security than the person who has been hacked. Of course, by that point, it's too late.
The good news is that there are three core rules to follow and you will address some of the major sources of breaches.
- Never share your password with anyone that you do not know; and if you have to, then change it immediately afterwards.
- Do not write passwords down. Use a Password Manager application that encrypts and protects your passwords—I use an app called LastPass.
- Always lock your computer when you are not using it—with Windows, a simple Ctl-Alt-Del will bring up the lock option.
Take a look at this post from last year that also has a webcast I recorded with other hints and tips on managing security in a cloud-enabled world.
Social Engineering and Reducing the Risk of Attack
Also make sure that your people are aware of social engineering, both what it is and how it is used to trick people into revealing passwords or other information hackers can use to infiltrate systems. (We covered this briefly in a previous blog, along with an infographic and helpful webcast.)
Some of the countermeasures that organizations can take to prevent social engineering-based attacks and reduce security risks include:
Standard Frameworks: Establishing frameworks of trust on an employee/personnel level (i.e., specify and train personnel on when/where/why/how sensitive information should be handled)
Information Review: Identifying which information is sensitive and evaluating its exposure to social engineering and breakdowns in security systems (building, computer system, etc.)
Security Protocols: Establishing security protocols, policies, and procedures for handling sensitive information.
Training Employees: Training employees in security protocols relevant to their position. (e.g., in situations such as tailgating, if a person's identity cannot be verified, then employees must be trained to politely refuse.)
Event Testing: Performing unannounced, periodic tests of the security framework.
Inoculation: Preventing social engineering and other fraudulent tricks or traps by instilling a resistance to persuasion attempts through exposure to similar or related attempts.
Regular Reviews: Reviewing the above steps regularly: no solutions to information integrity are perfect.
Secure Waste Management: Using a waste management service that has dumpsters with locks on them, with keys to them limited only to the waste management company and the cleaning staff. Locating the dumpster either in view of employees so that trying to access it carries a risk of being seen or caught, or behind a locked gate or fence where the person must trespass before they can attempt to access the dumpster.
Prevention vs. Cure
In summary, maintaining secure information systems that are resistant to hacking requires a combination of technology- and people-based tools and processes. With the increasing risk of attack, as well as the associated penalties and damage these breaches cause, it is clear that an ounce of prevention is much better than a pound of cure.
Photos purchased from iStockphoto.