3 Billion Reasons To Do More Than Just Secure The Perimeter

By: Jeff Hare, CPA CISA CIA

Most organizations have mature processes and controls related to preventing a breech on their internal systems – what we refer to as “securing the perimeter.” The thought being: Keep the bad guys out of our network and our data is protected. Or at least management assumes this is the case.

Note: A Bloomberg law article identified that personal data of 2.9 billion people may have been stolen from a background checking organization's National Public Data.?

The Problem

However, modern ERP systems such as ERP/HCM Cloud, Salesforce, and Workday are internet facing. This allows work from home users to log into these systems from ‘outside’ an organization’s firewall.??

Presumably, the software provider secures the ‘perimeter’ of these Software as a Service applications (SaaS). However, fraud and data security risks still exist where management may not have addressed or be aware of.?

Management should actively configure these systems and continuously monitor them to ensure they remain secure and effective. And failing to do so may lead to a breach resulting in fraud and/or the theft of PII (Personally Identifiable Information) or PHI (Protected Health Information) data.?

Management must also implement appropriate security via role design and through implementation of segregation of duties to avoid a threat actor from committing fraud.?

Additionally, traditional methods for verifying identity during password resets may have compromised these 2.9 billion people.

The MGM breach in 2023 was a stark reminder of this. A threat actor can pretend to be an administrator of an organization to gain access to administrative access without having to ‘hack’ a password. In our article on the MGM breach, we recommend several actions by management.?

Organizations using internet (SaaS) facing applications for their Financials and HCM requirements need to sit up and take notice of these new risks.

What Can You Do

Here are nine things your organization needs to do today!?

1. Identify the distinct categories of users who have access to these systems. This may include employees, ex-employees, retired employees, contractors, customers, partners, and vendors.?
2. Rethink how you are going to verify the identity of who has access to your system(s), especially those with administrative privileges. Retrain your staff asap.?
3. Identify what configurations are critical to your Single Sign On (SSO) / Multi-Factor Authentication (MFA) configurations. Review these configurations to make sure they meet your requirements and corporate objectives.?
4. Identify what users / groups of users are not required to use your SSO provider / MFA provider when authenticating into your system(s).? Consider additional security measures for provisioning these users and resetting their passwords.?
5. Identify what roles and users have ‘administrative’ privileges. A password rotation process and strong password controls prevent these accounts from being compromised. Consider implementing a PAM solution for administrative and service accounts.?
6. Identify if your SaaS provider has sufficient logging on the configurations underlying your security program. (Note: some providers have woefully inadequate logging).?
7. Integrate the logs into your Security Operations Center (SOC) / SIEM process. This keeps constant visibility into admin access and configurations critical to maintaining your security posture.?
8. Identify if your SaaS provide has sufficient logging AND retention for view only access to PII and PHI data.?
9. Proactively monitor for unauthorized access to PII and PHI data.?

In Conclusion

In today’s SaaS environment, the traditional approach to cyber security is wholly inadequate. The nature of these internet facing applications has changed the entire landscape. We know of organizations who have lost seven figures to threat actors. Threat actors target SaaS systems, hijack payment processes, and redirect the funds to fraudulent bank accounts.

If you still doubt these risks, the latest breach should give you three billion more reasons to be concerned. Is that convincing enough??

About ERP Risk Advisors?

ERP Risk Advisors identify, manage, and mitigate risks including addressing cyber security risks for SaaS applications.? Find out more about our risk content and services at: www.erpra.net ??