Associated
Risks
|
||
Buying
|
Subscribing
|
Leasing
|
· Selecting
an ERP system that is not a good fit for your company or will not meet the
needs of your company
· Choosing
program leadership that is too low in the organizational structure. Leadership should incorporate C-level
leadership
· Looking
at an ERP project as an IT project rather that a business project. ERP systems affect multiple aspects of the
company
·
Ignoring the need
for talent experienced in the selected ERP
· Underestimating
the ERP project timeline. It can take
several months to a year to have the ERP system up and running
|
·
In
addition to the risks outlines in “Buying”, employees may also have the
ability to download applications that IT is not aware of and out of the
purview of IT known as “Shadow IT”
· Cloud capabilities used for customer based applications
and may not have the security best practice
· If the employee or customer uploads confidential
information to these applications, the data may be highly vulnerable to a
breach and may lead to non-compliance to government or regulatory bodies
|
·
SAP does
not have a leasing option
|
When deciding on ERP software, it is imperative to asses any risks that may be associated with various options (buying, subscribing, leasing). Exposing IVK to any security or privacy risks would be determined to the company at this juncture. Below are some highlights of the associated risks with SAP ERP.
If we analyze how these risks would apply to IVK’s decision to purchase SAP ERP, there are a few key takeaways:
- IVK fortunately has the involvement of the CIO and considerable interest of a board member, so if they decide to purchase SAP, they will have the support of C-level leadership.
- This may pose as a risk for IVK as the company still sees IT as separate rather than incorporated within the organization
- The IVK IT department is still under scrutiny and may not have the support for adequate recruitment; it may be difficult for this to be seen as business project
Privacy Issues
While utilizing a program such as SAP ERP to connect all of your various business systems may sound great from an operational perspective, this program does generate quite a few concerns for privacy issues. In 2013, US Investigations Services (USIS) was attacked and the background check information for thousands of government personnel was compromised. This was executed via an exploit in the SAP system. By implementing SAP ERP software, IVK does run the risk that their customer data could be compromised if they were to experience such a security breech. This could lead to loss of clients and even potential lawsuits.
From an employee perspective, there is a need to be proactive when it comes to potential privacy issues. With SAP ERP systems, it is imperative to have third party security and also to limit the amount of users that have access to the system. Pivoting, portal attacks, and database warehousing have found to be the most common ways that SAP ERP systems are compromised and IVK should focus on how to prevent these types of security breaches. Concepts such as Role-Based Access Control which defines roles and grants certain access rights should be explored by IVK as a way to limit potential security issues.
Finally, from a vendor perspective, there is the possibility that the vendor’s security may be compromised by doing business with IVK. In the USIS security breech, the Office of Personnel Management had contracted USIS to do the background checks for government personnel. By exploiting the SAP ERP system used by USIS, OPM was also at risk for a security breech. If IVK cannot convince its vendors that their system is up to date against the most advanced of cyber-attacks, they could potentially lose several business relationships.
Security Issues
Recently there have been some security issues at IVK due to the DoS attack. Therefore IVK should focus more on maintaining its systems in order to provide better security for the company but also for the customers and other stakeholders.
There are five main potential security issues of SAP ERP system:
1. Outdated, unsupported software can lead to crashes and
integration issues
2. Insufficient reporting capability can lead to external reporting
and a loss of data control
3. Technical personal and providers have access to make large scale changes to program behavior
4. Delayed updates can lead to software vulnerabilities
5. Lack of compliance with security standards
(Bluemner, 2013)
We also have to look how to reduce potential security issues from a behavioral perspective. For decades, companies tried to educate employees on security awareness but often failed. The most important aspect is to embed behaviors that reduce information security risks. The following ten tips provide a useful approach on how to avoid security risks from a behavioral perspective:
1. Let risk drive information security solutions
2. Continue to look for alternative processes
3. Embed positive information security behaviors
4. Empower people to make information security decisions
5. Set a realistic timeframe for changing security behaviors
6. Aim for “stop and think” approach to security
7. When communicating security behaviors, move from “tell” to “sell”
8. Tap into the right skills to define and implement security solutions
9. Identify and integrate security champions into your efforts
10. Hold people accountable for security behaviors
(Olavsrud, 2014)
According to these recommendations, IVK should try to embed positive security information behaviors in its employees. This is especially important for Barton because as the CIO, he is responsible not only for his actions, but also the actions of the IT department. The DoS attack at IVK was a useful experience for Barton and his team at a very early stage in his position as the new CIO. This crisis is a good occasion to implement new behavioral approaches. However, Barton and his team as well as other managers have to be aware of the increased length of time it takes to effect lasting change for security behaviors as it may take 3 to 5 years (Olavsrud, 2014). As a result, the IT department should set a realistic timeframe for change. Barton should not put himself under pressure to have the expectation of solving all the security issues immediately.
Risks in Relation to Estimated Benefits
Although there are many benefits for IVK of implementing SAP’s ERP system (as discussed in TA4), there are dangerous security risks related primarily to implementation and management of data. The main benefits are increased efficiencies, revenues, decreasing costs as well as improved customer satisfaction, decreased stress, and increased satisfaction for employees and better collaboration and decision-making processes within the same and different business units. For example IVK has to minimize security risks not only in order to guarantee customer satisfaction but also to avoid customer dissatisfaction (which would be the worst case).
Risk management and securing customer data does not only give benefits but is also enforced by law. For example substantial penalties both from a cost perspective and even incarceration might arise for the company and the managers if they do not follow privacy protection. But also reputational damage could arise and is not to be underestimated. This in return could also cause tremendous consequences on the company’s existence. Before implementing ERP software, risk management has to be performed in order to minimize possible risks. A critical discussion has to contain all these risks mentioned before but, especially those that are life-threatening for IVK (arising from court trials due to privacy issues). Especially those risks arising from user mistakes can be minimized by following the ten recommendations by Olavsrud (2014). Implementing a positive security behavior on employees does not only minimize user failure but also improves processes and solution in case of IT problems. As a conclusion, most important aspect is to guarantee risk management that works effectively and efficiently.
Sources:
Bluemner, A. (2013). Five ERP Security Risks to be Aware Of. ERP SoftwareBlog. Retrieved from http://www.erpsoftwareblog.com/2013/10/5-erp-security-risks-to-be-aware-of/
Chickowski, E. (2015, May 12). First Example Of SAP Breach Surfaces. Retrieved November 6, 2015, from http://www.darkreading.com/attacks-breaches/first-example-of-sap-breach-surfaces/d/d-id/1320382
Enterprise Risk Management Initiative, Poole College of Management, North Carolina State University. (2013, August 21). Retrieved from: http://erm.ncsu.edu/library/article/leadership-guidance-for-ERP-project-success
Geer, D. (2015, October 5). Security risks increase as cloud data centers change. Retrieved from http://www.cio.com/article/2989002/cloud-security/security-risks-increase-as-cloud-data-centerschange.html?phint=newt=cio_data_center&phint=idg_eid=4b29d71e1711916009e4dcfc79b8d9da#tk.CIONLE_nlt_datacenter_2015-10-07
Kovacs, E. (2015, June 18). SAP Encryption Issues Pose Serious Risk to Organizations. Retrieved November 6, 2015, from http://www.securityweek.com/sap-encryption-issues-pose-serious-risk-organizations-researchers
Lonoff Schiff, J. (2012, March 27). 13 Common ERP Mistakes and How to Avoid Making Them. Retrieved from http://www.cio.com/article/2397802/enterprise-resource-planning/13-common-erp-mistakes-and-how-to-avoid-making-them.html
Olavsrud, T. (2014). 10 Tips to Embed Positive Information Security Behaviors in Employees. CIO. Retrieved from http://www.cio.com/article/2369305/security0/153570-10-Tips-to-Embed-Positive-Information-Security-Behaviors-in-Employees.html
She, W., & Thuraisingham, B. (2007). Security For Enterprise Resource Planning Systems. Information Systems Security, 152-163.
No comments:
Post a Comment