According to 451 Research, 64% of executives around the world — and 74% of those in the US — believe that adhering to compliance requirements is an effective way to keep data secure. This statistic is startling. An organization that only bases its data security on compliance standards can create gaps in protection, an increase in risks, and costly data breaches.
In fact, a 2019 report from IDC shows just how susceptible data can be to hackers, finding that 64% of mission-critical applications, such as enterprise resource planning (ERP) systems, have been breached in the last 24 months. These breaches compromise sensitive private information, including sales, human resources, customers’ personally identifiable information, intellectual property, and financial data.
The truth is we live in a market with increasing risks of cyberattacks on core business functions. Whether tasked with protecting and adhering to standards for software-as-a-service applications or ERP systems, security teams need to understand the hidden security and compliance risks of mission-critical business applications.
Siloed and Incomplete Assessments
Today, every organization performs audits and security assessments differently. Take internal audits, for example. An organization will conduct a risk assessment in a particular way based on a specific set of criteria. The same goes for security, IT, risk management, and a slew of other departments. Each of these groups thinks about risk differently and can view business-critical application risk through a completely different lens. Security may focus on vulnerabilities, IT may focus on availability, and finance and audit teams may focus on the integrity of the financial statements and internal controls over financial reporting. Each of these comes with a unique set of risks to mitigate.
While a comprehensive risk assessment might seem like a good idea for an organization, there may be a lack of communication and standardization across departments, which often leads to siloed reports. This partial alignment makes it impossible to have a complete picture of application and company risks and vulnerabilities.
Hidden and Missing Risks
What do these siloed assessments look like in real life? From a security perspective, teams are likely to assess the application through penetration testing, vulnerability and patch scans, custom code reviews, and threat landscape surveillance. These checks help security teams uncover known and potentially unknown vulnerabilities that would affect the overall security posture of the application and organization, yet this is only a piece of the puzzle.
When organizations look at mission-critical applications from an audit perspective, they usually focus on a couple of areas. User provisioning is a top target, covering tasks such as adding and removing users, identifying what employees are “super users” and establishing visibility into constantly shifting roles and permissions. Change management is another area of focus, covering how, when, and where change is happening in an application.
For example, if an employee requests a change in the business application, such as needing a new revenue report by geography, IT will check the user’s privileges to see if that person has the appropriate delegated approval or authority to view the data, then develop the code for the custom report, test the code, and ensure the employee gets the right information when generating the report. In addition, IT will add a new privilege to the user to execute that new report.
Each step is documented in a ticket, so businesses can easily review the change. Was there a request? Was it developed and tested? Did the person who developed and tested the application have the necessary permissions to move it into production? This provides a simple string of tickets that show evidence that the correct process was followed, but does not specifically address the changes themselves.
However, no program today considers the following risks, which creates a large security blind spot in the industry:
- Authorization administration: Was a user with high privileges following the necessary guidelines? Are other nonproduction users able to execute it?
- Interfaces administration: Can users from other systems execute the new functionality remotely? How can we limit that kind of access?
- Custom code development: Is the code generated for a particular request actually doing what it says? Does the new code always have the same behavior regardless of who is executing it?
- Code migration: When code is pushed into production, is it bypassing authorizations and controls? Does the migration include only the new report? Or is there something else as part of the migration?
These are just some of the hidden risks within the code and deployment process of mission-critical business applications that can be abused and used to bypass authorizations and control. For instance, as cited in the example above, an individual could program the custom code to send the report to a personal email any time it’s generated, creating an easy workaround to insider trading. That change, if undetected, will exist in that code forever.
Unifying Processes and Procedures
Security teams need to unify the processes and procedures associated with gaps in compliance, protection, and risk for applications.
The first necessary step is to start engaging cross-functional business units, such as finance, audit, IT, and compliance teams to address incomplete assessments and missing vulnerabilities. Think of creating a steering committee that will own the project and ensure its continued success.
Additionally, outside of department support, leading application testing and security software can help organizations understand and track baseline application behaviors to flag requests that might be out of the norm. These systems can be configured to prevent certain changes from happening, or notify teams when they do, providing the visibility organizations lack today.
As with every strategy, it’s also important to understand that each company is going to have a different approach based on unique business needs. Security teams should start with the most sensitive data and applications. From there, break down the approach into small, easily digestible, bite-sized pieces.
As far as measuring success, recurring meetings and measuring progress against deliverables can help ensure that risks are mitigated and an organization’s applications are protected.
Today’s enterprises depend on mission-critical applications to keep them productive, help better serve customers, and keep up with demand. By addressing issues early, setting the stage with a dedicated steering committee, and uncovering unknown risks faster, companies can continue success without damage to the brand, bottom line, or compliance procedures.
Brian Tremblay is the Compliance Practice Leader at Onapsis, where he is responsible for helping customers understand and navigate the challenges and opportunities created by the increasing overlap of compliance, cybersecurity, and business continuity related to IT General … View Full Bio