×
[searchandfilter taxonomies="search"]

Five Tips to Make You a Work-From-Home Pro

By Chris Heller • March 20, 2020

The streets are empty, offices are closed, and your favorite bar around the corner is shut down until… well, we don’t know when. COVID-19 has taken us all by surprise and companies are implementing work-from-home policies at a rapid pace. 

Working from home can, at times, feel like a prison. If you’re one of the lucky ones, you have video conferencing and it isn’t overloaded (just yet.) Some of us are used to working from home or were already remote before the pandemic – others are working from home for the first time and have never experienced this lack of social interaction before. 

Here are a few work-from-home tips to consider: 

1) Stick to your schedule. 

It’s tempting when you first start working from home to sleep-in late. Don’t! Stick to your normal routine. If you normally go into the office from 9 am to 5 pm, be at your computer/iPad/phone/whatever from 9 am to 5 pm. Your body gets used to these habits and it’s important to still have some boundaries between your work life and home life.

2) Create a workspace. 

It feels like I’ve heard every sort of work-from-home space idea there is. Working from the bathtub has to be the most interesting, and equally the most concerning. The same way that our minds get used to a work schedule, we get used to a workspace. If we do work in our bed, our minds may struggle to leave work at “work” when we’re trying to sleep. If we do work on our couch, distractions to turn the tv on for a minute or rest your eyes can become consistent habits. Clear space on your kitchen table or make a standing desk out of your counter, anything to create a secondary location that you can use just for work. 

3) Communicate with your team (well). 

If you’ve never worked from home, you likely had the ability to walk down the hall or simply turn your head to ask a question. I saw the message “I wonder how many meetings become emails now” all over social media last week. Utilize all of your tools, not just email. If your company has Microsoft Teams/Slack for messaging, use it to stay in touch and send your updates. If you have video conferencing, have your meeting with the cameras on just to have that in-person feeling. 

For those that work from home, it’s important to communicate not only with your coworkers, but your boss as well. Let them know what you’re working on and how you’re utilizing your time. If your boss has never worked from home either, they may be concerned that your work could suffer. Keep them informed with how your progress is and what you need from them, just like you should be doing in your office. 

4) Take care of your appearance. 

Growing up I played hockey and every gameday we would dress up and say “look good, feel good, play good.” We didn’t always win, but there’s something about feeling your best that puts you in the right frame of mind. I don’t mean to say you should dress in a suit to work from your home office, but at least come presentable to your “office.” If you’re doing a video call, opening your email, or just sitting at your desk you want to set yourself up for success. Prepare for your day just like you would any other day. 

5) Take breaks. 

When you work in an office, breaks are built into your day whether we know it or not. My good/bad habit when working from home is that when I sit down at my desk, I don’t get up for hours at a time. I’m glued to my screen with no distractions. At work, you get up to grab a drink and have a conversation with your deskmate on the way. Maybe you’re in a “cool office” and your office plays a game of ping pong once a day. Whatever your “break” is in the office, you need one when working from your home office too.

Try walking to get your mail, go outside for five minutes and just breathe in the fresh air, or really anything else that gets you up from your chair (or if you’re lucky away from your standing desk). It doesn’t (and shouldn’t) be long, but make sure you still are moving some. 

Hopefully these 5 tips help you become a work-from-home work pro during this COVID-19 pandemic. Stay safe and be sure to keep checking the CDC’s guidelines, found here

Interested in what we do at Appsian? Click here

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Remote Access to PeopleSoft a Requirement? Here’s (3) Success Stories to Consider

By Scott Lavery • March 18, 2020

With the workforce disruption caused by Coronavirus (COVID-19),enabling remote access to ERP applications like Oracle PeopleSoft has become a business requirement. This has resulted in organizations that fear disruptions to business continuity, rushing to scope additional security solutions. Many are turning to the early adopters of remote PeopleSoft access to better understand the gaps in PeopleSoft’s security model, the implications of exposure to the internet, and the mitigation steps required to maintain security.

Hackensack Meridian Health (HMH), identified authentication vulnerabilities in PeopleSoft’s username and password security model:

Thus, resulting in the scoping of a Single Sign-On and Multi-Factor Authentication (MFA) project. Both solutions required a Security Assertion Markup Language (SAML) integration with HMH’s respective identity provider, Duo Security. The project enabled hospital staff to quickly access business-critical functions, including medical supply ordering, scheduling, and billing. All of which had a positive impact on HMH’s ability to take care of their patients. The project resulted in HMH winning Oracle Innovator Awards in 2018 and 2019. 

Cornell University wanted to enhance the logging capability for PeopleSoft Campus Solutions:

Their goal was to record user activity while performing various transactions to improve security and incident response. Cornell University proceeded to scope solutions that would enhance their visibility without hindering system performance. Once a 3rd party logging solution was installed, Cornell University was enabled to allow access to remote students, employee and staff while maintaining granular levels of visibility. This proved critical when subsequent security incidents required rapid investigation.

The State of North Dakota identified the need to enable remote access to employees state-wide:

IT leaders sought to equip PeopleSoft Human Capital Management (HCM) and Financials with advanced features to dynamically limit data exposure and increase visibility of user activity. After deploying a 3rd party solution for dynamic data masking and location-based security, the State of North Dakota was able to accurately align the risk level of user access with the exposure of sensitive data. Providing a clear path to enable secure, remote access to users.

With COVID-19 creating a myriad of questions and concerns for business leaders, PeopleSoft customers are encouraged to approach remote access projects carefully.

Let us know if we can help enable your journey. Contact us today!


Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Maintaining Business Continuity During Coronavirus (COVID-19): Securing Critical ERP Functions For Remote Access

By Piyush Pandey • March 16, 2020

As organizations prepare to protect their workforce from Coronavirus (COVID-19), they need to balance best health practices with best security practices. More companies are establishing remote work policies to create a social distance that decreases the spread of the virus. While this acts as a deterrent for further infection, remote work inherently increases the data security and privacy problems organizations already face. This is mostly due to the increasing attack surface that comes with remote access to critical business applications. Organizations are responding to this new threat by scoping strategies to limit access, create timebound access policies, and establish data visibility controls. If an organization can create a “remote workday” that allows them to secure remote access during the Coronavirus outbreak, then this increased attack surface should be mitigated. But is that nearly enough? 

How Organizations are Responding to CDC, OSHA, and HHS Coronavirus Guidance 

The Centers for Disease Control (CDC) issued a Coronavirus Interim Guidance for Businesses and Employers in March 2020 while the Occupational Safety and Health Administration (OSHA) and Health and Human Services (HHS) issued a joint guidance of their own. At their core, both guidance recommendations suggest social distancing as a basic infection prevention measure.  

Social distance, or separating people to limit the spread of infection, led many organizations to implement more flexible remote work strategies. OSHA/HHS specifically suggested: 

Employers should explore whether they can establish policies and practices, such as flexible worksites (e.g., telecommuting) and flexible work hours (e.g., staggered shifts), to increase the physical distance among employees and between employees and others.  

While this strategy decreases the spread of Coronavirus, it leaves IT and security teams in an unenviable position. Taking applications away from corporate networks/firewalls and exposing them to the internet can lead to many concerns – most of which surround the secure authentication of users. 

Prompting a Move Towards a Zero Trust Model 

Zero Trust acts as a best practices model when attempting to secure user authentication to critical systems. Thus, treating all users, both internal and external, as potential malicious actors – and not granting high-privilege access to anyone by default. While you may trust your employees, you also need to recognize the potential risk for credential theft (ex. phishing) that a remote workforce creates.  

For instance, someone working from home may have a home wireless connection that lacks encryption or other security protocols. While a VPN can provide some confidence, not all users may have the VPN on a home laptop or other personal device. After all, the fundamental risk created by remote access comes from personal devices accessing sensitive data. 

Using an adaptive multi-factor authentication (MFA) solution can help control access to sensitive information. For example, organizations using PeopleSoft can use an adaptive MFA solution that takes into account the context of access like location, device, or time of day. This solution becomes more effective when integrated at page, component, and field levels of particularly sensitive transactions and as users move between applications. With contextual controls as part of your remote workforce policy, you gain greater control over access to sensitive information such as payroll data, vendor payment data, or corporate financial information. A secondary benefit is a decrease in user friction, as remote users are only challenged when the context of their access deems it necessary. 

Simulate a “Workday” with Time-bound Controls 

Although organizations normally consider timebound controls part of their emergency access and firefighter access or joiner, mover, and leaver processes, they can also help simulate “workday” appropriate access for a remote workforce.  

As more remote users work from home, organizations should establish timebound access controls that limit access outside of a given “flexible workday.” For example, if your current flexible schedule allows employees to arrive at the office as early as 7 AM and leave as late as 7 PM, then you can establish timebound organizational access based on application criticality to simulate this.  

By disabling access between 7:01 PM and 6:59 AM, you limit the risks associated with credential theft and internal privilege misuse. Limiting access to certain times of the day means that you can worry less about the anomalous 2:00 AM access that might indicate a malicious actor with a stolen credential or a workforce member accessing information inappropriately.  

Continuously Monitor User Access to Sensitive Information 

While most organizations monitor user access requests or user behavior, creating specific dashboards as part of Coronavirus remote workforce preparedness provides an additional layer of security. From a security standpoint, the biggest risk with remote workers is maintaining visibility into activity around sensitive data. Organizations need a way to view and monitor data access in real-time. Some of the key variables that should be tracked are geographic location of access, device used, and access volume on specific data fields (salary, social security, direct deposit, etc.) 

Lastly, you may want to consider monitoring failed authentication trends and triangulating them with geographic location. This data can quickly identify brute force attacks that may not be apparent at the application level – but may only be showing up as anomalies and errors taking place with your identity provider. 

Protecting Workforce Health While Maintaining Data Health  

As organizations face the distinct possibility of the Coronavirus requiring nearly all workforce members to do their jobs remotely, balancing data health and employee health becomes a concern. Fortunately, today’s advanced technologies provide a variety of solutions.  

The Coronavirus may be acting as a catalyst for organizations to change their approach to managing user access to sensitive information. Unfortunately, many companies that once required employees to work on-premise when they manage sensitive data are having to reconsider policies and scramble to maintain business continuity. 

How Appsian Can Enable Secure Telecommuting 

Appsian delivers the control and visibility that traditional ERP applications like PeopleSoft and SAP (ECC or S/4HANA) inherently lack. As access becomes increasingly mobile, having the ability to dynamically control access and gain deep visibility into user behavior is increasingly necessary. The Appsian Security Platform combines a sophisticated suite of solutions designed to enhance user authentication, apply contextual access policies, fine-grained data security controls and provide granular logging with real-time analytics. 

For more information about how Appsian can help accelerate your remote workforce access strategy, contact us today or schedule a demo

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Five Tips for Enabling Secure Mobile Access to PeopleSoft

By Scott Lavery • March 11, 2020

Enabling mobile access to PeopleSoft is a primary objective for many organizations. Naturally, there are security concerns when making transactions available on the internet. Here are (5) Best Practices you should consider

1) Identity and Access Management Must Be Enhanced

A username/password security model is not enough to effectively restrict unauthorized access. PeopleSoft passwords are inherently weak, easy to crack, and some users may have multiple passwords.

2) Align Authentication with an Identity Provider (IdP)

This is typically accomplished with an enterprise Single Sign-On that is natively integrated with an IdP. For PeopleSoft, your IdP is the best authentication database because it is centrally provisioned and governed by your corporate password mandates.

3) Always Utilize Multi-Factor Authentication

Multi-factor authentication (MFA) is an effective method for verifying identity. While having this functionality at login should be a standard part of a security posture, it is recommended that an adaptive MFA be utilized.

Adaptive MFA ensures that contextual attributes (ex. device, network, location) be the determining factor for deploying MFA challenges. This helps properly align levels of risk with access policies. Context of access varies in a mobile environment and your level of control should do the same.

4) Prevent the Unauthorized Exfiltration of Data

Data leakage is the #1 cause of breaches. Data exfiltration becomes a greater risk when access is remote – mostly because devices are no longer regulated. Limiting the running of reports and queries when access is remote will help ensure data is not exfiltrated on an unauthorized device.

In addition, implementing data masking on sensitive fields will help limit the exposure of sensitive data.

5) Enhance Your Visibility into Data Access

Simply put, if you are not logging access and usage data – then you’re at risk. Having visibility into user behavior is critical in order to detect and remediate a security threat.

Also, routine audits are critical for understanding what is happening inside your applications and if further steps need to be taken.

How Appsian Can Enable PeopleSoft for Mobile Access

Appsian delivers a sophisticated platform designed to give you complete control and visibility over your ERP data. We do this by strengthening your ability to: Authenticate Users, Manage Privileged Access, Limit Data Exposure, View User Activity, and Detect and Respond to Threats

Appsian has enabled more than 250 PeopleSoft customers worldwide to securely expand access to PeopleSoft.  Let us show you how we can maximize your investment in PeopleSoft!

Request Your Demonstration Today!

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Responding to Coronavirus (COVID-19): How to Enable PeopleSoft for Secure Telecommuting

By Scott Lavery • March 9, 2020

With companies like Microsoft, Amazon, and Twitter encouraging workers to stay home, many wonder if this is the beginning of a “work-from-home revolution” with no end in sight. More organizations around the country are adopting remote work policies each day – with Congress being the latest addition. In fact, today, The House Administration Committee will launch a center to coordinate computers and phones into a telecommuting system.

As organizations rush to adjust to this new work culture, they must consider PeopleSoft from (2) perspectives: maintaining secure user authentication and maintaining data security. After all, telecommuting means perimeter firewalls and corporate networks are not leveraged as originally intended.

Is PeopleSoft only available on your network? Now what?!?

With many organizations opting not to expose PeopleSoft self-service transactions to the internet, a workforce thats now required to telecommute would bring business to a screeching halt. This can be devastating to operations when you consider the myriad of financial, HCM, and essential student/faculty/staff (for Campus Solutions customers) transactions taking place each day.

Halting transactions isn’t an option, so Appsian recommends PeopleSoft customers consider these areas as they transition to a telecommuting work culture:

How are you authenticating user identity?

Are you leveraging your corporate Identity Provider to authenticate PeopleSoft users? If not, understand that PeopleSoft usernames and passwords are a major liability and hackers can crack them with ease. Also, brute force attacks are much more effective when the strength of passwords is not regulated by your IdP.

Are you using a single authentication step?

Is the username/password model your sole authentication strategy? Do you have the ability to force MFA challenges, especially if users are accessing from an unknown network or device? Implementing an MFA for PeopleSoft is not just recommended, but essential for preventing unauthorized access. Plus, it greatly mitigates the damage of phishing attacks.

What is your breach remediation strategy?

Logging and analyzing user behavior is critical for maintaining network security, but are you able to identify malicious behavior inside your PeopleSoft applications? If mobile access is enabled, the result is an extended threat surface. It is recommended to enhance how you log user activity.

Bottom line is we recommend you evaluate your strategies now and determine the best path for maintaining business continuity. There are key authentication challenges to consider and the experts at Appsian are here to discuss your initiatives.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

2020’s Top ERP Security Challenges: It’s All About the Data!

By Scott Lavery • December 19, 2019

As we enter the new year, the criticality of securing sensitive data will continue to mold and transform the structure of security strategies across enterprises, resulting in a heightened focus on access controls, visibility solutions, and (generally) data-centric ERP investments. With numerous data privacy regulations on the horizon, the cost of data breaches will be more catastrophic for businesses. In 2020, enterprises must invest in proactive strategies that combat the dynamic threats targeting an organization’s most sensitive data.

Enterprises can expect the trend of increased data breaches in ERP systems to continue to rise in 2020

Since ERP was first designed as an application product, ERP systems have been incapable of evolving alongside an organization’s maturing IT environment – and are unable to integrate with advanced security initiatives. It is, and will remain very challenging to keep ERP systems up-to-date and due to the business criticality of these applications – enterprises are wary of switching them out entirely.

In order to secure ERP systems in 2020, business owners must realize the criticality of their businesses’ usability of ERP apps. It is the business owner who is more familiar with the users, and as Gartner concluded, ‘it is the user – not the provider – who fails to manage the controls used to protect an organization’s data.’ With the growing number of connected applications running across the company, such as payment and HR apps, business owners need to evolve their ERP systems and go beyond firewalls.

In 2020, there will be a CIO responsibility shift from “systems technology experts” to “data experts”, as security increasingly becomes more of a data-level function

As enterprises become more and more aware that the security of sensitive ERP data is a high priority, especially with the rise in data privacy regulations such as CCPA – there will be a rise in Chief Data Officer roles as well as a shift in the roles of CIO’s from focus on systems to a focus on data. This shift will cause many challenges though, as the majority of CIO’s do not specialize in the systems aspect of ERP. Yet, the rise in data-centric compliance initiatives, as well as the deployment of fundamental security tools such as multi-factor authentication and SSO across the enterprise, will ease the transition from a systems-centric CIO to a data-centric CIO.

Additionally, from an organizational perspective, we can expect more CIO and CISOs at the board level as organizations continue to mature and invest further in security and understand the varying operational budgets.

In the coming year, we can expect more enterprises adopting Privileged access management (PAM) as a key IT security project as well as effective access controls due to heightened third-party risk

PAM is the first, fundamental level of data protection, privacy and compliance when logging and auditing are concerned, and with more and more data privacy regulations on the horizon, PAM will become a key IT security project in the coming year. Additionally, given that the majority (83%) of organizations engaging with third parties to provide business services identified risks, organizations must hold all third parties at greater liability and bound them by their contracts as to data protocols if breached in 2020.

Users will increasingly demand ERP access beyond their corporate networks core transactions will need to face the open internet

As organizations continue to make (and demand) employees be more productive, employees will (in turn) insist that their ERP transactions are available from any location, at any time. In order to maintain high levels of security, ERP transactions have traditionally been available (only) behind corporate firewalls. However, this model immediately causes user push-back, especially as more organizations rely on mobile workforces to scale and keep business running in the coming years. When enterprises insist that employees only execute their ERP transactions when they have access to a corporate network, users will inevitably avoid it which will cause increased strain on an organization across functions.

Therefore, in 2020, we can expect more organizations to invest in solutions that focus on enhancing access controls and logging. More and more organizations will begin to understand the importance of expanding access as a table stakes initiative as productivity requirements shift, demanding users to be as mobile as possible.

What are your ERP security and compliance goals for 2020?

The security experts at Appsian would love to help ease the journey toward a fully secure and compliant ERP system. Email us at info@stgappsian.wpengine.com to learn how we do it!

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Why Dynamic MFA is the Key to Strict ERP Security. Without Causing User Friction

By Scott Lavery • November 14, 2019

Cats & dogs, oil & water…

Apparently, these groups don’t get along. You can definitely add Security Admins & Business Users to that list. The reasons are (sort of) obvious, but only if you point them out. Simply put, one group restricts access and the other group demands access. I understand this is an over-simplification. At the end of the day, if user or corporate data is compromised, everyone gets upset. However, from a tactical standpoint, these two groups are trying to accomplish goals simultaneously and inevitably get in each other’s way.

The friction between business users and security policies typically occurs during the authentication process. For example, when a user is asked to enter login credentials or go through an MFA challenge. While this may seem innocuous, it should be noted that friction (over time) builds and builds – and if a user does not see the benefits in the extra authentication step(s), they are likely to abandon whatever business transaction they’re trying to access. And, abandonment certainly does not promote productivity!

…and, here in lies the true conflict between security and productivity

Securing data that resides in ERP applications has all the makings of a classic conflict between security and business user productivity. All the security focus is on login screen authentication – and traditional, on-premise ERP applications (SAP, PeopleSoft, Oracle EBS) are filled with sensitive data with limited ways to implement fine-grained controls. The result is Security Admins have no choice but to be overly-strict with their security policies (ex. requiring MFA at each login) – causing users to push back and possibly abandon critical business transactions.

This is where Appsian comes in… enabling dynamic MFA

Appsian enables organizations to implement adaptive, data-centric ERP security policies. Meaning, if fine-grained control is what you’re looking to accomplish – then, Appsian gives you the ability to align specific security policies to specific data elements/transactions. Being specific mitigates user friction, and here is why…

Not all sessions/transactions are risky

Question: Should you have to pass an MFA challenge if you’re working on your company-issued computer and logged on to your corporate network? What is the likelihood the context of that access is fraudulent?

Users appreciate when risk level aligns with security measures

Users don’t like their data compromised either, and when they are executing transactions that are deemed ‘high risk’ (ex. change direct deposit, update benefits, update W-4) a user should expect stepped-up security challenges.

When security aligns to the context of access – security and business policies live in harmony!

It’s corny, but its true. By aligning security to specific data elements and transactions, business processes and security policies become aligned and everyone gets what they want. Users are only challenged when necessary and Security Admins can feel their polices are properly focused.

Users can be fully productive and feel confident their data is safe and secure. True love!

Want to learn more about implementing dynamic MFA for ERP systems? Then Let’s Talk!

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

California Consumer Protection Act (CCPA) – Do You Have an Action Plan for your ERP?

By Scott Lavery • October 24, 2019

CCPA – A Quick Review

CCPA takes effect on January 1,2020. The spirit of CCPA revolves around consumers taking back control of their personal information – pushing data privacy to the forefront. According to the regulation, California citizens will have the right to know what personal data (PII) has been collected by a business. Consumers also have the right to say ‘No’ to the sale of their information and delete all data that an organization owns (related to them.) Once CCPA comes into effect, consumers can file lawsuits against companies for breaches.

After being implemented (on Jan 1, 2020), CCPA will also have a Look Back period – organizations will need to disclose how they have been collecting, using, storing, and sharing data over the past year. 

Consequences of Non-Compliance

In the case of non-compliance, organizations run the risk of facing hefty fines. CCPA imposes up to $2,500 per unintentional violation and $7,500 per each intentional violation. 

Preparing your ERP for CCPA in (2) Steps

To ensure compliance and avoid high penalties, organizations need to have additional mechanisms in place. Here are a couple tactical strategies organizations should consider to prepare their ERP systems for the 1/1/2020 deadline:

1.   Enhance Visibility into User Activity

CCPA requires organizations to have complete visibility into how their data is obtained, used, stored, and shared with third parties. Note the term: used. To achieve detailed visibility around data usage, organizations need to adopt a robust, real-time logging strategy. Logging user information (such as date of access, UserID, IP address, device, location of access, etc.) is crucial for understanding how data is being used within your organization.

Traditional ERP systems like PeopleSoft, SAP ECC and Oracle EBS do not provide this level of granularity. It is recommended that logging enhancement tools be scoped, as actionable insights that highlight who viewed what data field(s) are currently a blindspot inside these systems.

Logging data can be leveraged inside a SIEM to provide trends and analytics – making audit practices more efficient.

2.   Prevent Unnecessary Data Exposure for High Privilege Users

Today, CIO’s all over the country are leading efforts to define what constitutes PII, identifying where it resides and furiously writing policies to restrict access. When it comes to ERP systems, the static rules that govern access and data exposure can be limiting – this is especially true when it comes to the ability to mask or redact data fields.

User-centric vs. data-centric

Use Case: Should PII, like a user’s social security number be visible to even high privilege users? Is there a ‘business process’ reasons for that (or any personal info: marital status, home address, health insurance info, etc.) to be accessible by anyone except the individual who owns that PII?

These scenarios are difficult to manage in ERP systems because roles and privileges are user-centric, not data-centric. The distinction being a user centric role says a person (or group in most cases) can view something under any circumstances. And, data-centric means the nature of the data defines the access. People (and roles) may come and go, but the data remains the centerpiece of the policy.

Having the ability to mask any data field (via a data-centric policy) is the best way to ensure that access to PII is limited under the most strict of circumstances. After all, the principal of least privilege dictates that a user should only be accessing what’s truly necessary. Having your data exposure be defined by static user roles (and not the data itself) will inevitably lead to compliance problems.

Conclusion

Once an organization goes through the process of locating and defining their PII – the true compliance efforts begin! The (2) steps above provide helpful framing around how an organization should approach tactical ERP data compliance strategies. And Appsian can help!

CCPA and GDPR are the beginning of a series of compliance mandates expected to follow. Several states in the U.S. are drawing up their own mandates for data privacy. It’s a given that visibility into ERP data access is no longer an option but a necessity. Contact us to learn how you can fast track your preparation for compliance by enhancing your visibly and applying a data-centric ERP compliance framework.

Example CCPA Analytics Dashboard (powered by Appsian)
Use Cases Highlighted: PII access volume (by User ID) and Sensitive data access volume (by IP)

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

64% of SAP & Oracle ERP Customers have reported a Breach (in last 24 months)

By Scott Lavery • October 15, 2019

The numbers are out, and it’s more apparent than ever – your ERP system is most likely at risk. A recent study by Onapsis has revealed that two-thirds of businesses (relying on SAP and Oracle) have reported a breach in the last 2 years.

The numbers are indeed concerning and reveal one common theme – “out-of-the-box” ERP security controls (and audit mechanisms) do not provide the adequate controls and visibility necessary to protect PeopleSoft/SAP ERP data. Organizations should assume that it’s only a matter of time before a breach reaches their forefront.

So, why are ERP breaches becoming increasingly common? Where do existing, “out-of-the-box” security mechanisms lack?

Lack of Insight into User Activity

What is a traffic reporter’s best friend? A camera. Why? Because traffic is compiled of a multitude of vehicles moving in unison – until they are not! If a stall or backup is happening, traffic reporters rely on highway cameras to understand the origins of the incident – and to properly diagnose how long the delay might be for everyone else.

Keeping with the traffic theme… the level of visibility in legacy ERP systems resembles that of a tunnel (with only 2 cameras) – you watch the cars go in and you watch them come out – but what happens in the tunnel? You simply don’t know!

This level of visibility was once acceptable, but the rise in phishing tactics and the introduction of new data privacy mandates (ex. GDPR and CCPA) have put an emphasis on understanding precise data access and usage.  Only knowing when a credential logs in – and then logs out (without understanding what happens “inside the tunnel”) has become a significant liability.

Is it possible that bad actors know they are not being watched? Yes, and the numbers (presented by Onapsis) reflect this new reality.

Slow Detection of Breaches (Time is $$$!)

The longer it takes to track down a breach, the riskier (and more expensive) it gets. According to an IBM study, companies take up to 206 days to identify a breach. After detection, remediation takes 73 days (avg.)

What difference does early detection make? – $1.23 million. That’s right – the study observes that companies who could detect a data breach in less than 200 days, saved more than $1 million on the total cost of the breach. Time indeed is money!

Surprisingly though, many organizations are yet to adopt a way to detect an ERP system intrusion quickly.

Infrequent Audits

Frequent audits can help reduce the risk of a security incident and prompt immediate action (should an incident arise.) But are companies performing enough audits? In the survey conducted by Onapsis, “78% of respondents audit their ERP apps every 90 days or more.” Given the implications of a breach (unexpected downtime, compliance risk, and even diminished brand confidence), organizations must perform regular audits. 

Conclusion

The IDC survey raises important questions related to breaches and security. It is now apparent that ERP system breaches are on the rise, and organizations have (2) choices – either accept their breach fate, OR seek solutions to integrate modern data security strategies into their legacy ERP systems.

Contact us to learn how granular security solutions can be integrated in your existing systems! Now is the time to be proactive!

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Request a Demo

Start your free demo

"Learn how you can reduce risk with rapid threat protection, audit response and access control. All from a single, comprehensive platform"

Trusted by hundreds of leading brands