5 Ignored Practices That Can Disarm Your Cybersecurity Time Bomb

Paul Kurchina
Paul Kurchina in Digital Transformation, Cybersecurity November 13, 2017

Year after year, data breaches become messier, bigger, and more dangerous — and no business or person is immune from cybersecurity attacks. In fact, any form of cyber crime can impact over half of the world’s population. That’s roughly 3.8 billion people, up from 2 billion in 2015 — and that attack population will grow to 75 percent as another 2.2 billion people gain access to the internet by 2022.

Considering the risk, consumers are always shocked to hear that the companies they love exposed their information by missing much-needed patches, ignoring back-door vulnerabilities in their IT architecture, and choosing weak passwords. Furthermore, a good portion of these incidents are preventable. For example, delaying one patch update by as little as six weeks could lead to data theft that impacts hundreds of millions of people in a matter of minutes.

“News headlines warn companies of all sizes that they are putting themselves at risk literally every day,” observed Virtual Forge CEO Markus Schumacher during the ASUG webcast, “Achieving Baseline Security within the SAP Environment,” hosted by ASUG. “If executives fail to implement good controls and ensure that safeguards are in place and effectively used, they are not doing their jobs.”

Tick, Tick, Tick: It’s Time to Take Control of Cybersecurity

Businesses often overlook system configuration, custom code, and transports even though most CEOs are aware of the guidelines to keep their systems secure. Unfortunately, failure in any of these areas introduces security risks

To address these preventable cybersecurity risks, executives should reconsider five fundamental practices for maintaining the security integrity of IT landscapes.

1. Governance, risk, compliance (GRC) of authorizations

Functional and technical users need to be managed in a manner that ensures proper and secure access to the right information, when and where they need it. GRC considerations include restriction of standard users and profiles, segregation of duties, remote function call (RFC) interfaces, user provisioning and decommissioning, data encryption, and the secure use of cryptography. Businesses can also address their password policies by implementing best practices and single sign-on capabilities.

2. Setup security

The organization and maintenance of the IT landscape – as routine as it may sound – can significantly impact the security of your systems, data, and brand reputation. In this case, the IT organization should prioritize the installation of all security patches, monitor security settings continuously on all systems, secure RFC and all other interfaces, and implement end-to-end encryption.

3. Security of custom code

Since companies are unique in how they operate, serve customers, and approach the industry, every IT landscape will always have one or more applications with custom code. The rule for ensuring a secure software development lifecycle is to scan all custom and third-party code early and often. After identifying an exposure, the IT department should perform risk-based assessments and resolutions immediately.

4. Infrastructure security

When hacking a system, most cybercriminals attack the operational system (OS) and database (DB) first because they are the easiest to infiltrate. For this reason, it is important to patch and update the OS and the DB without undue delay and enforce practices around strong passwords for this layer. Additionally, profile parameters should be continuously monitored and controlled, as well as routers, Web dispatchers, gateways, and Java systems.

5. Change management

During development, testing, and production, companies must securely transport code without the risk of intrusion and corruption. Whether received from an internal or external source, all transported content should be inspected before the next stage in the release process. Otherwise, preventable risks may be introduced to the target system. Additionally, it is critical to remain vigilant by encrypting communication and controlling transport paths to meet business needs.

Attention to the Fundamentals of IT Integrity Defuses Preventable Exposure

The vulnerability of systems to cyberattacks is nothing more than a ticking time bomb. Missing any aspect of cybersecurity puts everyone at risk. For the good of the business, their employees, their customers, and the economy, executives need to rethink their cybersecurity strategies now to protect the company from preventable breaches and the consequences that will follow an attack.

For more insights into securing your SAP software investments and strategy, watch the replay of the ASUG webcast, “Achieving Baseline Security within the SAP Environment,” featuring Virtual Forge CEO Markus Schumacher.