Cybersecurity and data protection can unfortunately be a common afterthought for many organizations. While enterprises often prioritize integrating the latest and greatest SAP tech, maintaining healthy cyber hygiene normally isn’t something that commonly appears in company policy.
A recent report from our sister site SAPinsider gathering the collective expertise and experience of cybersecurity professionals sheds light on exactly what cyber security experts believe needs to be prioritized, and what measures to take to achieve peak protection – for example, empowering, equipping and educating the everyday worker is vital for maintaining robust data protection.
ERP Today sat down with Marty Menard, CIO of West Coast-based, privately-owned construction and manufacturing company, Pacific Coast Companies, and delved into his over two decades of experience and tech expertise to gain some perspective on some of the top cybersecurity issues, challenges and solutions facing tech leaders today.
Explore related questions
Data protection is king
SAP software is wide reaching and versatile, with data in SAP systems making up some of the most valuable information for some businesses. Therefore, when considering a shift to a more technologically intensive, potentially cloud-based platform, it’s paramount that crucial SAP data is protected. SAPinsider’s Cybersecurity Priorities report seems to reflect this sentiment: 57 percent of the cybersec professionals surveyed agree that data protection is the most important cybersecurity priority today.
It’s easy to see why. When brand image can make or break a company, it’s integral that customers know their data is completely and utterly inaccessible to nefarious parties while stored in a client firm’s systems. One instance of shoddy security in the form of an easily preventable data breach could be a portent of incoming disaster – mid-scale businesses risk completely unraveling if they don’t have versatile security measures.
“This may be a contrarian view, but I think it’s always been about either money or brand,” says Menard, reflecting on the motivations behind cyber attacks. “Why are people trying to break into your company? They’re trying to take money away from you […] or they’re trying to impact your brand. Your partners and your customers start to lose confidence in you. I think that’s always been a motivator for nefarious and third-world countries trying to break in.”
The dangers of human-engineered cyber attacks
Overall cybersecurity attitudes regarding data protection seem to be the driving motivator behind identifying what aspects of digital security need prioritizing. The focus of data protection has seemingly spread to encompass several other security aspects. For example, after data protection, the next few factors that cybersec experts determined needed to be prioritized were: risk assessment and management in second, followed by identity access management in third, with security awareness training and threat intelligence awareness both taking fourth and fifth spots respectively. All of the above factors can each ultimately be boiled down to needing more robust data security measures, or making workers more aware of simple data protection tips.
Security awareness training, in particular, was something Menard focuses on. “They [cyber attacks] are certainly getting more sophisticated. Statistics recently said that 96 percent of all hacks start with an email phishing campaign, connected by an employee who wasn’t paying close attention and naively creating a problem for an enterprise.”
Knowing that the genesis of most data breaches allegedly starts with an employee mistake shines a bright light on the biggest weakness of all digital enterprises: humans. While this kind of statement could be alarming when pulled out of context, it is an unfortunate reality that hackers prey on the naive and easily-fooled. With hackers utilizing human engineered approaches to cyber trickery, it’s even harder than ever to spot a sophisticated phishing attempt. Human-engineered attacks are insidious and specifically designed to trick someone into clicking something they shouldn’t.
Any hacker with enough tech savvy only needs to scan a company’s LinkedIn page and website to gather everything they need to craft a targeted phishing attack. The unfortunate reality with phishing attacks is that everyone is a potential victim; from the admin intern in the basement to the board member on the top floor – everyone is vulnerable if they lack the necessary knowledge.
Demonstrated with an example from Menard, it doesn’t matter where an employee falls in the chain of command; if anything, those in higher positions are more at risk of attack, as being higher profile means more potentially-incriminated data can be found online and leveraged by hackers.
“We had one of our presidents recently, as much training as they’ve got, use the same password for their bank account as they did for [other things],” Menard says. “The bank stopped a payment of around $10,000 that was going to go to a credit card that someone had been able to figure out the passwords for. Luckily, the bank caught it, but that’s a perfect example of a high-ranking employee who should know better and still makes the same mistakes.”
The three pillars of data protection
Knowing that data protection is a major priority for cybersecurity experts, and a juicy target for hackers, it’s integral that firms, especially mid-scale enterprises that can’t afford to weather the media outrage or client drop-off of a data breach, make cybersecurity a part of their operating models.
Thankfully, Marty Menard shared with ERP Today what he believed were three aspects all enterprises need to consider when weighing up their data security measures, starting with:
1. Have a clear connection to the company board/leadership
“I think the ability to have a connection to your parent board, and having a committee, has been super beneficial for me,” explains Menard. As many who have worked in an office environment know, getting sign off or approval on a project can take a frustrating amount of time as the project is put through several different stages of scrutiny until it potentially finds its way to the board.
At Pacific Coast, however, Menard has a point of contact on the parent board for monthly updates to company leadership.
“It provides me with the cover I need,” Menard says. “It eliminates a lot of the conversation about why we’re spending what we’re spending on cyber and other things. It really gets their attention because, at the end of the day, especially if they’re a public company, they’re accountable to the shareholders.”
By having a direct line of communication with company leadership, it’s far easier to express the importance of data protection measures.
2. External auditors can provide a vital outside perspective
Employing the services of external experts and auditors can be an effective way to help spot any security loopholes, while also providing a trustworthy, expert insight that holds weight when findings are presented to leadership.
“The external assessments that we bring in and have somebody come in and dig through our environment, really help us provide an understanding about the progress we’re making and where threats have changed, because threats are changing constantly. Doing those annually is a big part of a necessary and sufficient step that people should do,” says Menard.
For Pacific Coast, Menard formed a cybersecurity committee that consisted of an internal COO, CFO, a family member from the board and three external IT professionals (CIOs or CTOs). The committee reports directly to the board and meets up six times a year to review recent tech and discuss any new developments.
3. Employee knowledge
Hackers will worm their way into enterprise networks wherever they can, but some of their attacks are only effective if a workforce is clueless. Many human-engineered attacks start by masquerading as an existing member of a company and may request something that doesn’t seem too out of the ordinary. Several messages could be exchanged in the attempt to lull a victim into a false sense of security before a dangerous link is finally presented to the victim.
“Make sure you’re on top of your employees, that they understand exactly their role in keeping the company safe, “ says Menard. Regularly testing, providing feedback and reinforcing common cybersec knowledge could be the factor that determines whether a hacker decides to stick around and try their luck or move on to much easier prey.
If enterprises don’t take their data protection seriously, they run the risk of irreparably damaging a brand while also inviting legal issues from incensed former clients. Taking a proactive step towards cybersecurity and data protection can enable companies to save themselves time, resources and money.
Rizal Ahmed is CIO Leader, WIS; Charles Whitmore is Cybersecurity Editor, ERP Today
