Despite the fact that cyberattacks are on the increase, many enterprises have still not elevated IT security to a boardroom topic. Yet cybercrime is not the only source of threat: Companies also need to wake up to the often-neglected “danger from within.”
Businesses are spending millions on IT technology to protect against data loss and fend off hacker attacks. But managing directors and IT bosses still tend to forget about the number-one weak point in any company – its employees. It happens time and again: one phone call, one friendly inquiry, and a potential attacker is already a step further to getting hold of sensitive or confidential information.
Think back to the last time you approached a glass door with a brief case in one hand and a cup of coffee in the other. There was no shortage of helpful employees ready to open the door for you, right? Did they ask to see your ID? Of course not. And that’s all it takes for someone armed with a USB flash drive and malicious intentions to smuggle themselves onto a company’s premises.
IT Security: Not a Top Priority
That’s just one example of how little relevance is accorded to the topic of security in many companies today. In a global survey of 237 enterprises, Accenture compared the security stance of organizations it describes as “leaders,” or leapfrog” companies, with those who still have ground to make up, namely the “static” companies, or “laggards.” The result: For a majority (69%) of leapfrog companies, security is a business-critical priority — 63% align their security objectives with their business objectives and 70% have a clearly defined security strategy in place. In contrast, the results for the “static” companies are between 15 and 24% lower.
While the majority (55%) of leapfrog companies consider the threat of external attacks to be very significant, only 47% of the laggard organizations share that view. To make matters worse, prevention appears much further down the list of priorities for static companies than for their leapfrogging counterparts.
Moreover, the topic of security seems to have made little impact in the boardroom thus far. Thus, even leapfrog companies rate regular security reporting to the management board as only moderately important (6.5 on a scale of 1-10, where 1=unimportant and 10=very important). They also appear not to attach much importance (5.7) to transparency or to a regular supply of information from the chief security officer (CSO) to other top managers at the company.
One in Three Companies Hit by Cybercrime
These findings are surprising when you consider that a lax approach to the subject of security can prove extremely costly. A survey conducted by KPMG found that around one third of companies fell victim to computer fraud and spying or had their account and financial data manipulated in 2014 – and the numbers are rising. On average, companies suffered a total loss of around €150,000; and in cases where business secrets were compromised, the average losses were up to €650,000. Based on figures like this, one security incident could be enough to put a small or midsize company out of business.
Multi-layered concepts are essential for maintaining high levels of security in the long term. Thus, every company should have a password policy and deploy technical security measures such as firewalls and virus scanners. In today’s risk climate, however, prevention alone is not enough. Which is why SAP follows a three-pillar strategy consisting of prevention, detection, and response. As well as making sure that employees keep an eye out for persons not displaying a valid ID card, security-conscious companies should opt for innovative solutions like SAP Enterprise Threat Detection. This SAP software is one of only a handful of tools that can detect cyberattacks on the application level.
When it comes to transparency, SAP’s efforts are far-reaching.
“Cooperation is the key! We’re in regular contact with other businesses and with public authorities, and we exchange our best practices and experiences with them. Because it’s only by joining forces that we can identify the risks and take appropriate countermeasures,” says SAP’s Chief Product Security Officer Gerold Hübner.
He adds, “We operate a sophisticated security software lifecycle in SAP Software Development, comprising well-trained developers and resilient processes and tools. This allows us to offer our customers highly secure products. But it’s not all down to us. Customers also have a part to play, and that includes implementing the latest security patches without delay. We provide assistance here in the form of services and guidelines. And because we recognize our responsibility as the world’s third-largest software provider, we are committed to the topic of secure software in general. For instance, we help the ecosystem build secure software by contributing actively to SAFECode, a non-profit organization that provides smaller software companies with information about how to write secure code.”
An overview of SAP’s security concept is available at www.sap.com/security.
Bolstering SAP’s Human Firewall
What happens when employees become a source of risk? Let’s be clear on one point right away: We’re not usually talking about malicious intent here, or employees purposely wreaking revenge on their managers or on the company. In many cases, new security leaks open up as a result of carelessness.
The best example is when an employee uses a private USB flash drive in the office and, in so doing, unwittingly spreads malware around the company system. This kind of carelessness is what the Human Firewall initiative launched by SAP at the beginning of the year is designed to prevent. It’s all about making employees more aware of the security risks that can result from thoughtless or naive behavior and about recognizing people who might be attempting to gain access to the company for malicious purposes. As part of this initiative, SAP requires its employees to complete regular obligatory security training courses.
“We want to create the world’s longest human firewall,” explains Klaus Schimmer, who is responsible for IT security awareness at SAP. In this vein, SAP employees all over the world are demonstrating their commitment to security by posting a personal message and their photo on an internal platform. All the photos collected will be joined together to form an “endless” virtual photo. Ideally, it will be so long that it will earn a place in the Guinness World Records.