Security and compliance are a hot topic these days, which is why SAP Insider sat down with the SAP experts at Fastpath for a webcast Q&A on the topic of building a security and compliance program for SAP landscapes. This blog series offers valuable insights into dealing with security and audits.
Security and Compliance for SAP, Part 6: Internal Fraud
With SAP’s built-in functionality, supported by technology like Fastpath and experts in security, you can take the pain out of the process. By implementing processes, taking a risk-based approach, and getting the right controls in place, you can meet the demands of your auditors and ensure you have a top-notch security program. The series so far includes:
- Part 1: Using processes and a risk-based approach
- Part 2: How to handle custom transaction code
- Part 3: How to talk to auditors about non-SAP systems in an SAP landscape
- Part 4: Granting user access – who, why, and how much
- Part 5: Ownership of your security program and its budget
Part 6 discusses why it’s important to protect internal as well as external security.
SAP Security: Internal Security is Just as Important as Cybersecurity
There is a lot in the news about cybersecurity. But what about internal security over data and transactions? Isn’t that just as important?
Unfortunately, however, with the marketing of cybersecurity services and scary news stories about external threats and hackers, cybersecurity gets all the attention. While those are all legitimate threats, 60 to 70 percent of the fraud that takes place today is internal. And a security breach from an internal source might not make for an exciting headline, but it still can cause very serious damage.
It is important to have a balance of controls, not only to address those external threats, but also internal threats—where that 60-70 percent number lives. The traditional finance and accounting controls around segregation of duties, around the lack of user access reviews, around the granting of elevated access or privileges to individual users is the problem. And that goes back to who owns security, which is why it's critical to ensure your executives are all on the same page regarding how your organization addresses security.
Many executives are pushed to purchase very expensive cybersecurity solutions and probably have a false premise then that they're covered from a fraud perspective, without realizing they still need to focus on getting the right controls in place from an internal control perspective. In short, make sure your security plan encompasses both internal and external threats.
Don’t just focus on cybersecurity in your security program. Remember to focus just as much energy and resources on internal security.
Stay tuned for additional blogs in this series. Want them all at a glance? Check out the first blog which will have all 9 links once they are all published.