Security is never a sexy topic. It costs money without directly adding value to your business and processes. In the best case, it’s unobtrusive, not requiring huge efforts to run – like that dental insurance you hope you’ll never need.
Alas, security threats are a topic with the potential to cause more harm than a passing toothache. This is particularly true for the information in your organization; a critical and valuable asset of your organization – which makes them a potential target for people with criminal intent.
As I have described in a parallel blog, the threat is real and tangible:
- the probability to fall victim to an attack may not be very high at this point. But security threats look prone to rise over time – and, those least prepared must expect to be most heavily afflicted.
- damage associated with data theft is hard to nail down; but it can quickly reach painful levels or even threaten an organization’s existence.
- data security issues are (not very surprisingly) quite often perpetrated by insiders, not just hackers. This is a problem in itself, as “an insider threat is a thousand times worse than a hacker threat because it is so hard to defend against,” The Economist quotes Christopher Hadnagy, a security expert.
In this light, it is worthwhile to think about ways to mitigate the risk posed, in particular, by insiders bent on stealing data. As Wirtschaftswoche (Business Weekly, a German print magazine) comment, the damage potential from data leaks can be lowered considerably through “modest” investment in implementing preventive measures.
I tend to agree to the statement because of the following considerations:
- If you invest, primarily invest in “preventive” measures because the best data security leak is the one that doesn’t happen. All others are bad – to different degrees. Second to that, you might consider measures that help manage and mitigate the damage: If you can at least detect and plug a leak early, the fallout might be easier to manage.
Without both, you might face the worst case scenario – someone else detecting an issue before you; and you even not being able to identify the source, or able to report what information you lost.
- Modest investment can considerably lower the damage potential. A finding by KPMG is that 70% of respondents studied for the 2014 Businss Crime in Germany report see themselves at “low” risk of a data leak (but 82% see others at high or very high risk). If the truth lies somewhere in between, this discrepancy in perceived risk implies that organizations tend to underestimate their own risk exposure.
This brings about a structural risk: as organizations overestimate their own security measures, they systematically underinvest in further protection. And indeed: KPMG point out that almost all (85% of) respondents think they are well protected, and almost none (11%) were considering “sizeable” investment (where sizeable was the equivalent of a nice middle class car) into data security. If this situation has already persisted over a few years, we can assume organizations (at least in Germany – but by all likelihood elsewhere as well) are less optimally protected than they think, and there should be low-hanging fruits, i.e. sizeable increases in data security protection at relatively low cost.
- Before we are completely submerged in academic reasoning, let me come to the third point. It appears most reasonable to stipulate investment into measures designed to counter the risk of internal data leaks.
As I work out in another blog, SAP standard software and ecosystem, while providing functionality to counter external attacks, does not offer comparable functionality to safeguard against malicious insiders. It is at this point that two solutions from SAP Custom Development hook in, UI Logging and UI Masking (UI Field Security), which could provide for your security needs in SAP systems.
In this light, the suggestion from Wirtschaftswoche seems to be reasonable. Hope is not a strategy prone to help you prevent, or deal with, stints of toothache. Better to take appropriate measures on a wholistic perspective, like brushing and flossing your teeth nicely as well as being on a regular basis with your dentist.
Your wholistic data security concept, based on a sound risk assessment, would likely also encompass a host of measures aiming both at hacker attacks as well as insider threats. And especially for the latter, “a thousand times harder to defend”, you may consider looking into the solutions mentioned above:
- UI Logging is a “soft” approach to data security in caseswhere it is not sensible to technically restrict users’ data access. It enables you to log exactly which data a user received from a system, and to analyze the log. Compare it to a radar trap – both discouraging users from opportunistic speeding as well as posing a tool for identifying deliberate offenders.
- UI Field Security/Masking is the “strong” approach, technically restricting specific data from reaching certain users by masking data values partly or completely. To stay true to above analogy, with UI Masking you set up a speed limiter (or take off a car’s wheels – depending on the configuration).
Let me wish you a Merry Christmas and a toothache-free New Year!