Five ignored practices that can disarm your cybersecurity time bomb
Year after year, data breaches become messier, bigger, and more dangerous – and no business or person is immune from cybersecurity attacks.
n fact, any form of cyber crime can I impact over half of the world’s population. That’s roughly 3.8 billion people, up from 2 billion in 2015 – and that attack population will grow to 75% as another 2.2 billion people gain access to the Internet by 2022.
Considering the risk, consumers are always shocked to hear that the companies they love exposed their information by missing muchneeded patches, ignoring back-door vulnerabilities in their IT architecture, and choosing weak passwords. Furthermore, a good portion of these incidents are preventable. For example, delaying one patch update by as little as six weeks could lead to data theft that impacts hundreds of millions of people in a matter of minutes.
“News headlines warn companies of all sizes that they are putting themselves at risk literally every day,” observed Virtual Forge CEO Markus Schumacher during the Webcast “Achieving Baseline Security Within the SAP Environment,” hosted by Americas’ SAP Users’ Group (ASUG). “If executives fail to implement good controls and ensure that safeguards are in place and effectively used, they are not doing their jobs.”
Businesses often overlook system configuration, custom code, and transports even though most CEOs are aware of the guidelines to keep their systems secure. Unfortunately, failure in any of these areas introduces security risks
To address these preventable cybersecurity risks, executives should reconsider five fundamental practices for maintaining the security integrity of IT landscapes.
1. Governance, risk, compliance (GRC) of authorisations
Functional and technical users need to be managed in a manner that ensures proper and secure access to the right information, when and where they need it. GRC considerations include restriction of standard users and profiles, segregation of duties, remote function call (RFC) interfaces, user provisioning and decommissioning, data encryption, and the secure use of cryptography. Businesses can also address their password policies by implementing best practices and single sign-on capabilities.
2. Setup security
The organisation and maintenance of the IT landscape – as routine as it may sound – can significantly impact the security of your systems, data, and brand reputation. In this case, the IT organisation should prioritise the installation of all security patches, monitor security settings continuously on all systems, secure RFC and all other interfaces, and implement end-to-end encryption.
3. Security of custom code
Since companies are unique in how they operate, serve customers, and approach the industry, every IT landscape will always have one or more applications with custom code. The rule for ensuring a secure software development lifecycle is to scan all custom and third-party code early and often. After identifying an exposure, the IT department should perform risk-based assessments and resolutions immediately.
4. Infrastructure security
When hacking a system, most cybercriminals attack the operational system (OS) and database (DB) first because they are the easiest to infiltrate. For this reason, it is important to patch and update the OS and the DB without undue delay and enforce practices around strong passwords for this layer. Additionally, profile parameters should be continuously monitored and controlled, as well as routers, Web dispatchers, gateways, and Java systems.
5. Change management
During development, testing, and production, companies must securely transport code without the risk of intrusion and corruption. Whether received from an internal or external source, all transported content should be inspected before the next stage in the release process. Otherwise, preventable risks may be introduced to the target system. Additionally, it is critical to remain vigilant by encrypting communication and controlling transport paths to meet business needs.
The vulnerability of systems to cyberattacks is nothing more than a ticking time bomb. Missing any aspect of cybersecurity puts everyone at risk. For the good of the business, their employees, their customers, and the economy, executives need to rethink their cybersecurity strategies now to protect the company from preventable breaches and the consequences that will follow an attack. For more information, please visit www.deloitte.com/mt