Will working from home be the new normal? We look at the massive shift COVID-19 brought to our workplaces and identify five SAP security activities that organizations should consider to minimize the risk of the internal threat associated with remote working. If you’d like to know how Soterion can assist you with managing SAP security issues discussed in this presentation please email info@soterion.com or connect with me via LinkedIn. We look forward to assisting you.

1. soterion.com
SOTERION
SAP Security – The
New Normal
Dealing with the Internal Threat of Working
from Home

2. By Dudley Cartwright,
CEO of Soterion, an SAP Governance, Risk and
Compliance security solutions provider

3. New Normal
Stephen McBride, Forbes Magazine contributor and editor of RiskHedge Report,
predicts in his article that the largest cyberattack in history is likely to occur in
the next six months, with the coronavirus laying the groundwork.
McBride explains that the more devices connected to a network, the larger the
number of entry points, making it easier for hackers to access. With so many
people working from home, firms had only days to cobble up remote work plans.
System security planning often did not include planning around masses of
remote workers, or the use of less secure home internet connections.

4. Hackers only need to
gain entry through one
single unsecure point.
Hackers broke into the networks of
America’s largest defense
contractor, Lockheed Martin, by
targeting remote workers. If they
can infiltrate this system, you best
believe remote workers with little
security are easy pickings, he adds.

5. New Normal - Hackers
In the past couple of months, hackers have targeted
the US Department of Health. And attacks against the
World Health Organization have more than doubled.
Cyber intelligence firm CYFIRMA revealed cyberthreats
related to coronavirus shot up 600% from February to
March 2020. It’s only a matter of time before we hear
about a major cyber breach, he says.

6. New Normal - Hackers
In his recent article Reza Rassuli, SDA Inc. CEO and SAP technical advisor
mentions five key cyber threats that enterprises using SAP need to take
seriously and should watch out for in 2020. These are social engineering
attacks, IoT-based attacks, ransomware attacks, internal threats, and
state-sponsored attacks.
He advises SAP users to place emphasis on detecting threats in real-time or
ahead of time before it is too late.

7. Enhanced Cybersecurity
SAP themselves, in a recent
Covid-19 response article, stress
that enhanced cybersecurity is
critical while the World Economic
Forum has warned that
cybercriminals have escalated
their efforts to capitalise on the
unfolding tragedy of Covid-19.

8. In this presentation, we focus on a number of
security activities that an organization should
consider to minimize the risk of the internal
threat associated with remote working.

9. The Risk of Working From Home Should Change the Way
Organizations View Security
There is a significant difference between accessing the SAP system from the
office and from home and therefore opens the door to vulnerabilities. Coupled
with the increased likelihood of a breach (external), work from home is therefore
likely to also increase the chance of a data leak (internal). Some questions do
arise. Will work-from-home change user behaviour? Without having a
supervisor or work colleagues looking over one’s shoulder, will this lead to a
change in user behaviour where users ‘explore’ what they have access to in the
system? Are users going to be more likely to download data onto a memory
stick if there is no one around to see?

10. Remote Working
It is fair to say that when
employees are not in the office
environment, many of them are
likely to behave slightly differently.
Remote working will be the
catalyst for organizations to
embark on SAP security activities
that security professionals have
been advocating for many years.

11. 5 SAP Security Activities Organizations Should Prioritize
in This New Era of Remote Working
1. Appropriate User Access
2. Rule Set Customization
3. Business Accountability of Risk
4. User Access Reviews
5. Activate Logging

12. 1. Appropriate User Access
Numerous organizations have
outdated SAP role designs,
where users have been assigned
inappropriate access over the
years in relation to their actual
job function. To minimize the risk
of both a breach and leak, it is
imperative that organizations
follow a ‘zero-trust’ approach
and ensure that users are
assigned appropriate access.

13. 2. Rule Set Customization
Many organizations that implement an access risk solution make use of
the standard rule set with minimal or no customization. This is necessary
to ensure the rule set addresses relevant risks in their organization. For
those organizations that do go through a rule set customization project,
many do not review (edit/update/adjust) the rule set again after the
initial project. With the increased risk caused by remote working,
organizations should place more emphasis on customizing the standard
rule set to ensure that the rule set covers risks applicable to their
organization, including data privacy risks.

14. 3. Business
Accountability of Risk
Organizations struggle with business
buy-in and a lack of accountability in
access risk from the business. This is
often caused by a lack of
understanding of the risks and their
impact on the organization should it
occur. When the business does not
understand the risks and the impact,
the granting and approving of
inappropriate access is likely to occur.

15. 4. User Access Reviews
The User Access review process requires businesses to
review all users’ SAP access on a periodic basis. Most
organizations perform this on an annual basis. With the
increase in risk caused by remote working, ensuring users
are assigned appropriate access must be done on a more
regular basis. Many organizations will need to start
performing periodic user access reviews, and the frequency
of the reviews is likely to increase to be done bi-annually or
even quarterly.

16. 5. Activate Logging
There are many different types of logging available in SAP that can provide
useful information. Numerous organizations do not activate them due to
performance or space concerns. With the increased risk of remote working, it is
critical that certain categories of logging are activated.
Besides the basic SM20 filters of transaction start, it is advisable to activate
other filters such as generic access to tables (CUZ and DU9) or RFC calls
accessing data in SAP. With data privacy becoming more topical because of
legislation such as GDPR, CCPA and POPIA, having the ability to identify who has
displayed this data becomes crucial and the logging of this information can be
configured by using the Read Access Logging (RAL) functionality in SAP.

17. soterion.com
Thank you
If you’d like to know how Soterion can assist you with
managing SAP security issues discussed in this presentation
please email info@soterion.com.