Growing demand for intelligent, available and accurate data is fueling organizations as they implement digital transformation activities. Whether moving to the cloud, supporting new innovations or preparing for a move to SAP® S/4HANA, the need and pressure for change is immense. And, while digital transformation projects are key drivers for growth, they also create and expose organizations to significant risk. To properly manage risk before, during and post transformation, organizations should have defined cybersecurity programs in place to ensure proper protection of critical business data. In a recent webinar with our partner Onapsis, we laid out a foundation for a proper cyber program and highlighted steps needed to make a transformation such as a S/4HANA migration safe and compliant.
With business-critical data being hosted on essential SAP applications, cyber attacks against systems have dramatically increased in ferocity and complexity, compromising the information security of organizations and even governments worldwide. One of the main risks organizations experience during a digital transformation is an exposure of the company’s “crown jewels” to vulnerabilities and threats. These “crown jewels” are the centerpiece of the business, such as SAP or Oracle or any other ERP system. They hold the organization’s intellectual properties, transactional data, financial data, customer information, vendor information and more. Everything is out there. So it’s a common area for attackers to pose a threat. That’s why, in today’s hyper-connected working environment, the benefits of digitally engaging ERP systems to carry cyber and compliance risk implications must be understood and managed. Understanding the risks and responsibilities becomes critically crucial for effective governance in large scale ERP deployments. It can be helpful to find a partner like Onapsis, to maintain the focus on protecting ERP systems to secure the “crown jewels” while maintaining compliance with regulatory requirements such as GDPR and the Sarbanes-Oxley Act. Keeping mission critical ERP systems secure is vital to the health of any cybersecurity program.
However, preventing these attacks and securing systems does not need to be complex. Protiviti’s approach can help organizations at various levels of maturity prioritize focused integration of capability to address SAP cybersecurity imperatives. We often recommend these best practices to help increase a client’s security baseline:
While we don’t have a crystal ball and given the increase in cyber threats, it’s not out of the question that many companies may experience a cyber attack of some kind in their future. The scary part is that organizations may or may not be aware that the attack is or has taken place. Often, companies have a blindspot when it comes to ERP tool visibility, which is why monitoring and protecting the SAP cyber security environment is so critical, in order to both keep systems compliant and safe from insider and outsider threats. For example, the Onapsis platform offers a number of valuable features, including the ability to get actionable information needed to discover, assess and remediate misconfigurations and vulnerabilities.
Cybersecurity programs should not be an afterthought. Yet, time and again security often gets bolted on much later in the transformation process, when it costs more and can cause tremendous disruption. While it might be obvious that undergoing any type of digital transformation project presents risks, remember that risk is always present, even when the choice is to do nothing. Sometimes that risk is even greater when the current security footprint has not kept up with the times. It is vital to ensure the organization is properly preparing for digital transformation with strategic risk activities at the forefront.
As we learned from the recent Protiviti/Onapsis webinar, regardless of where the organization is with an S/4HANA journey or any other initiative, there are several steps that are critical:
- Ensure the chief information security officer (CISO) is an integral part of your S/4HANA transformation project
- Emphasize building a secure culture: security is everyone’s responsibility!
- Security and controls should be business process enablers, not just a compliance check box
- A next-generation approach provides a vision for continuous monitoring
- Plan ahead: avoid retrofitting the S/4HANA controls environment
Protiviti’s Enterprise Application Solutions practice, recognized as a global leader in ERP security consulting, has a broad range of experience in cyber risks, regulations, and technology that will aid organizations in cyber risk strategic thinking and careful capability planning required for this transformation. Our cyber risk strategy and governance planning approach helps organizations effectively adapt imperatives to be secure, alert, and have a recovery and respond plan when implementing SAP S/4 HANA and broaden the lens to understand cyber risks associated with the transformation.
To learn more about why companies are increasingly moving to cloud-based SAP solutions, attend our next joint webinar with Onapsis, Keeping Secure and Compliant in the Cloud, Thursday, June 23 at 10 am EDT / 4pm CEST.
About the Authors
Enterprise Application Services
Enterprise Application Services
Technical Director, Channel and Alliances