Although there are many process improvements,
cross-departmental integration and business efficiencies SAP’s ERP can add to
IVK, there are common security risks related primarily to implementation and
management of data. The image below visually depicts some of the risk
categories as identified by Winnie Chu, 2011.
(Chu, 2011)
Due to the recent DooS breach at IVK, an ERP purchase and
implementation should receive heightened security attention to better secure customer and company data. IVK will have to
understand and manage the risk associated with their outdated and unsupported
software, external reporting, loss of data control, and data loss due to the
termination of the Netifects relationship. Implications of data risk will come
to IVK in the form of brand credibility and compliance. Lack of compliance with
security standards for lending according to SEC and other regulators can cause
financial burden as well as negative publicity that would decrease brand
creditability and preference. Delayed updates can lead to software
vulnerabilities which means IVK should spend more IT budget on the system to
ensure the security.
Using packaged, third-party SCM, CRM, and ERP software typically requires adopting a very specific way of doing business (Gallaugher, 2014). Firms that buy and install packaged software usually have the option of integrating legacy software, but organizations adopting SaaS may find they are forced into adopting new versions. This fact is important because any radical changes in a SaaS system’s user interface or system functionality might result in unforeseen training costs, or increase the chance that a user might make an error. (Gallaugher, 2014).
Securing
customers’ data is not only a good thing to do, but enforced by law.
A breach in privacy for a
company exposes a company to substantial penalties both from a cost perspective
and even incarceration. The Federal Trade Commission can and has imposed fines
to companies for hundreds of millions of dollars for failure to implement
required security measures when handling client information. ("Consider Privacy Issues," 2012). Firms should do an audit of
their risks, use
simple things to protect the company like a privacy policy, and ask questions
like, is the data warehousing secure?
There are potential risks associated with integration of a
new ERP system. Sayana has identified some of the major issues in an article
published by System and Control’s Journal, these risks are listed below:
- Who has access to the database, # points of entry to the ERP
- Since there is usually one database, there should be controls in place to ensure the accuracy and security of the data. Since the database can be accessed at the user level and at the operating system level, companies should be concerned about who can submit to and alter the database.
- Accessing info remotely, applicable to employees and vendors using the cloud
- Personal data for identity theft concerns
Generally, companies are
obligated to:
- Securing personal information from unauthorized access, ensuring its protection through the life cycle of the information and ensuring its effective destruction when it is no longer required
- Catering to the rights of the subject about whom data has been gathered, processed and stored
- Not using personal information for purposes other than those for which the information is gathered or maintained (Sayana, 2004)
Enterprise systems and ERP software vendors are taking
security issues very seriously and for alarming reasons based on the statistics
presented at the RSA Conferences in 2013 and 2014. At the conferences, leading experts such as
Mariano Nunez, CEO Onapsis Inc, and Alexander Polyakov, ERPScan, report that
95% of the ERP systems that they analyzed, which includes information from the
two dominating vendor platforms SAP and Oracle, were vulnerable to
cyber-attackers to take full control of the business. They also found that 100% of these systems
vulnerabilities had related information in the public domain for more than 5
years. (Polyakov).
May companies believe if they have an ERP Security Team or put Segregation of Duties controls in place that they are addressing these risks. According to Nunez from the 2014 RSA Conference, only 5% of the system that were evaluated even had their basic Security Audit Log enabled. According to Holsbeck and Johnson on the hosted docs website, “organizations do not configure their ERP system to maintain audit logs because they are concerned about performance degradation and they don’t think they need it”. It comes down to a compromise between security and performance. It also time consuming to customize all the reports that are needed. Even those organizations with the log enabled cannot detect all attacks on the technical layer. There is also the possibility of a disconnect between security teams, such as the ERP Security Team not being familiar with hackers, zero-days, or malware and the Information Security Team anything about the ERP system. (Holsbeck).
SAP is now incorporating security measures in their systems
to ensure secure data warehousing. As announced on the April 11, 2013 Business Wire release, Onapsis and
PwC form a joint business relationship to provide improved end to end security
capabilities to SAP customers. SAP is also incorporating double digit point
checks and security measures to keep employee names, addresses, phone numbers,
social security numbers, and with regard to healthcare ERP systems, patient
medical history records safe and secure. Incorporating the security aspect in a
large enterprise software initial design becomes paramount as HR and accounting
and the entire organization are bridged together with the ERP system enabling
multiple points of access to confidential data and potential areas of vulnerability.
ERP vendors and software developers have to go through great pains to ensure
data privacy during implementation. To support software implementation, a company should prepare a backup site, develop the software, and training their users. A site many manage as many as a dozen clones
each with the same information from the original database to test systems and failures. Data masking is another
process used to mask private information so that it will be safe for testing
and the implementation process. Masking
confidential information is currently the most effective way to protect
information during an implementation and testing of a new application. (Onapsis
Inc.). Managers must remember however, to balance the costs and the risks for their organization, as the surest way to manage risk (though never eliminated) is to spend more on security and privacy measure.
From: http://sapinfrastructureintegration.blogspot.com/2014/06/negative-roi-when-considering-sap-hana.html
No comments:
Post a Comment