Most organizations fail in their ERP security efforts because they implement systems with a plan that leaves controls design and implementation until the end of the process. However, ERP projects are invariably over budget and behind schedule, so strict internal controls are often glossed over to keep costs down and make up time.
Some organizations decide against stringent controls because internal controls can introduce additional overhead by making it hard for employees to do their jobs with process inefficiencies.
The biggest drawback of relying on internal controls for ERP security comes from the costly and time-consuming maintenance of those controls. As employees are promoted, reassigned or terminated, organizations must continually update their business systems with each employee's correct authorization level. The advent of new business partners, the creation of new business departments or entry into new markets also requires new or modified procedural rules. Maintenance of the ERP system can turn into a never-ending resource drain.
A recent Gartner audit of several SAP systems noted that "because SAP is used to process financial accounting information including purchasing, accounts payable, accounts receivable, general ledger and human resources, security breaches in these areas could lead to unauthorized, undetected access to confidential financial and employee data." The study audit revealed two important points:
- Duties within the purchasing process have not been adequately segregated. As a result, personnel could gain control of the entire purchasing cycle, resulting in errors, irregularities or fraud.
- A lot of users have been granted inappropriate authorities in the Financial Accounting and Controlling modules.
According to Matthew Kovar at Yankee Group, the 'inside threat' causes the greatest real losses in corporations and governments today. "Detecting inappropriate application activity committed by authorized users represents the 'next frontier' in information security."
After recognizing the significant business risks and inadequacies of relying upon the built-in controls of business applications, leading businesses and government organizations are now deploying continuous transaction and incident monitoring to detect, prevent and deter financial loss from systems-based fraud, misuse and errors.
The concept of continuous transaction and incident monitoring goes above simple procedural rules and transaction logs to incorporate advanced analysis to identify irregular transactions and determine if the transaction is indicative of fraud, misuse or error.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.