When companies and vendors talk about “enterprise security”, they invariably are talking about external threats – how to stop cybercrime, hackers, ransomware, and phishing attacks.
But very few people talk about enterprise security inside the organization – where the business applications are.
Don’t get me wrong: businesses need to lock down these outside threats, and there are great tools available to do that.
However, the fact remains that 65% of fraud is internal; it takes place inside the business, inside the business applications. The Association of Certified Fraud Examiners Report to Nations predicts the average company will lose $1.5M to fraud this year alone from internal threats – by employees who are using the company’s business applications. So true enterprise security means looking not just at the external threats to the business network, but also looking internally at your business applications – your ERP or accounting application, your HCM application, your CRM application, and any other specialized software you have to support other aspects of the business, such as the shop floor, supply chain, warehouse, etc..
At Fastpath, we think of enterprise security like a doughnut – a round exterior with a hole in the middle. Most CISOs and CIOs focus the security teams on the outside ring to keep out the external threats. But they don’t consider the hole in the middle where the business applications are. When these teams put their security plan in place, they should also include a line item to address internal threats and take an inventory of their critical business applications to determine where the real risk exists inside their organization.
The first step is to inventory your applications internally as part of a risk assessment exercise. That will help you determine the most critical data and where the biggest financial exposure is. Once that is completed, you can deploy the right tools to secure the applications commensurate with the amount of risk you are willing to accept. And your ERP or accounting software should be at the top of the list.
Your Intellectual Property is also high on the list. For instance, if you are a company that manufactures a product to a formula, that formula is your trade secret. While not an example of financial fraud in terms of segregation of duties, it still represents a significant financial loss if your IP is stolen from you.
When we talk about securing a business application, it’s not just about making sure only the right people have access, provisioning them securely, and following an established approval process. There is also making sure that, once that access is granted, there are tools in place to proactively review what the users are doing with that access and look for anomalies.
For example, if you notice a user conducting transactions at a time when the user is not typically online, perhaps on weekend nights, this can be an indication that there is some suspicious activity taking place. Being able to shut down user activity that occur outside of normal business hours or that originate from certain geographical locations are security techniques that go beyond simply provisioning user access to specific applications.
Recently, Frank Vukovits met with Boris Agranovich of Global Risk Communities to discuss the security concerns of companies as they re-open their offices after the COVID pandemic. Listen to the full podcast here.