Security in an ERP World
by Mark Van Holsbeck, Director of Enterprise Network Security for Avery-Dennison and Jeffrey Z. Johnson, Vice President of Solutions & Services for Oversight Technologies. - Monday, 24 May 2004.
However, about half of all organizations do not configure their ERP system to maintain audit logs because they are concerned about performance degradation and they don't think they need it. Regrettably, these organizations believe IT security only focuses on the layers of traditional perimeter security. In a compromise between security and performance, enterprises can avoid logging every detail of system activity and focus on meaningful information that's relevant to the transaction.

For organizations that do utilize audit logs, system administrators can configure customized audit reports that employ simple logic to identify "outliers" - system transactions that fall outside of normal parameters, such as date and time, location of the user logging into the system and checks larger than a predefined setting.

While it's time consuming to customize these reports, they provide hundreds of data points to manually process and are invariably riddled with false positives. Each flagged event requires manual human analysis of the event because the audit reports cannot analyze the event to determine the cause for concern.

Security Failures

When you consider that the average business loses 3 percent to 6 percent of annual revenue due to fraud, most agree that the ERP security features listed above are not working. Worse yet, businesses suffer additional losses through duplicate payment errors. The average enterprise submits duplicate payments for 2 percent of its total accounts payable. Of these duplicate payments, 10 percent are never recovered, which leads to total losses equivalent to 0.2 percent of total accounts payable.

The fact remains that applications remain highly vulnerable to external security threats. Weak passwords can be broken with simple dictionary attacks; buffer overflows can flood an application until it allows a hacker in the door. However, some of the most damaging hacks come in the form of social engineering where users are tricked into freely divulging their credentials. And of course, the real danger of external hackers comes once they enter the system as authorized users with the ability to divert payments for their benefit.

Most organizations fail in their ERP security efforts because they implement systems with a plan that leaves controls design and implementation until the end of the process. However, ERP projects are invariably over budget and behind schedule, so strict internal controls are often glossed over to keep costs down and make up time.

Some organizations decide against stringent controls because internal controls can introduce additional overhead by making it hard for employees to do their jobs with process inefficiencies.

The biggest drawback of relying on internal controls for ERP security comes from the costly and time-consuming maintenance of those controls. As employees are promoted, reassigned or terminated, organizations must continually update their business systems with each employee's correct authorization level. The advent of new business partners, the creation of new business departments or entry into new markets also requires new or modified procedural rules. Maintenance of the ERP system can turn into a never-ending resource drain.

A recent Gartner audit of several SAP systems noted that "because SAP is used to process financial accounting information including purchasing, accounts payable, accounts receivable, general ledger and human resources, security breaches in these areas could lead to unauthorized, undetected access to confidential financial and employee data." The study audit revealed two important points:
  • Duties within the purchasing process have not been adequately segregated. As a result, personnel could gain control of the entire purchasing cycle, resulting in errors, irregularities or fraud.
  • A lot of users have been granted inappropriate authorities in the Financial Accounting and Controlling modules.
Continuous Monitoring as the Solution


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th