Cyber Research estimations show that 1 in 4 people will experience a data breach by 2020. Today, data breach occurs as 1 in 15. As we plan to settle into our duties of protecting our individual or corporate data in 2016, we ought to be continuously conscious of the reality of the cyber woes out there. Hence, there can be no better time to emphasize the need for strategic, continuous and innovative plans with respect to protecting our SAP landscape.
In previous years, 2013 and 2014 alike, the cyber security community experienced a huge wave of cyber-attacks. 2015, however, showed a far louder and more pronounced negative mark in comparison to 2013 and 2014; the intensity of incidence, popularity and occurrence of cyber breach has now made cyber-attacks become a “NO News” report …a situation similar to the way the bombings of Syria, Afghanistan or even the northern region of Nigeria by Boko Haram or Hezbollah attacks in East Africa gained its “NO News” reputation. It goes without saying that these cyber breach precedence is not only bad for the world but unacceptable for the future of our collective global economy.
For all intent and purposes, 2015 could be regarded as another bad year for the world in terms of cybersecurity; with a cloud of embarrassing witness of publicly recorded mega SAP, Oracle and non-SAP cyber breach (manifesting in forms of incremental DDoS attacks, Confidential Data theft with successful data manipulation).
I highlight some notable attacks for 2015 in the reported incidence section of this write-up, while I try to relate the incidence to the Insurance section and then take a sneak peek into 2016 with a bit of recommendations.
- Three students from Germany’s University of Saarland discovered39,890 unsecured MongoDB databases openly available on the Internet
- Millions of T-Mobile customers exposed in Experian breach
- Criminals use IRS website to steal data on 104,000 people
- USIS/OPM SAP Attack: Chinese breach data of 4 million federal workers regarded as the mother of all cyber breach more info
- West African Governments cyber-attacks (Nigeria, Ghana, Senegal)
- South African State Security Agency breach reported by Aljazeera’s spy cables making South Africa the Eldorado of Espionage for 2014 and 2015
- Chrysler Auto Hack leading to huge law suits video here
- Ashley Madison hack
The list goes on and on! One thing is for sure here: Our traditional solutions to cyber security count for practically nothing, atleast in most cases. There is a strong need to begin to look into ways of blocking vulnerability holes, monitoring improvements in security and most importantly, putting up strategies for detection of cyber breaches within enterprise applications like SAP and Oracle
As a fall out of cyber-attacks, statistics show a gain in velocity and popularity of cyber insurance. Infact in Africa, professional institutions such as IRMSA, ISACA as well as CILRM-Nigeria had put up series of top notch educational seminars and labs to enlighten organizations on the relevance and management of cyber risk from a framework perspective to cater to prevention, detection and particularly underwriting of same.
As the premium on cyber insurance is expected to increase in 2016, these could only be scary times for African businesses, as the choice for both Large Enterprises and mid-sized companies in Africa become stark: either take on hefty insurance premiums or run the real risk of cyber-crime-induced bankruptcy.
Organizations can gain significantly and reduce their premiums by a great deal, even so, far more gains saved in cyber-Insurance premium when compared to the nominal investment cost of deploying the SAP cyber security solutions.
On the bright side, it is important to note that Insurers will definitely lower premiums when a company demonstrates that they have good security measures in place. By consulting with companies like #DeltaGRiC to help deploy SAP cybersecurity solutions, Organizations can gain significantly and reduce their premiums by a great deal, even so, far more gains saved in cyber-Insurance premium when compared to the nominal investment cost of deploying the SAP cyber security solutions.
Outlook for 2016
Obviously, we live in a world where we are beginning to realize the everyday impact of how yesterday’s flaws is being built into tomorrow’s connected world; A world where our SAP Applications implementation templates which ab-initio were implemented in organizations over a space of 5-10 years ago (without IOT and Security concerns) are still being implemented in new deployments without considering the fact that vulnerabilities are being discovered on a daily basis (over 3500 patch release as at 2015 ). Ofcourse, we continue to notice how OEM’s like SAP take security seriously and continue to patch their software but the questions to answer is: Do end customer organizations implement these patches at all? and if they do, do they do it regularly? And if they do it regularly, do they do it properly? Do organizations struggle with the “Kernel issues and Patch Management for SAP? Do organizations understand how to fight 0-day vulnerabilities?
The truth? To run through 2016 in denial that traditional solutions can handle SAP cybersecurity will be to live in folly, folly which we cannot afford to pay for! Obviously, there can be no long life for a quick fix!
In 2016, there will definitely be more insider and external attacks leading to Extortionware, Data Manipulation as the technologies that protect us today are already obsolete. Consequentially, cyber Insurance premiums will hit an all time high.
To put things in perspective, criminals don’t break into banks because the bank is not secure, they break into the bank because that is where the money is. In same manner, hackers won’t hack your SAP landscape because there is a seen weakness, but because that is where the crown jewels are. As you can tell, irregardless of the risks of getting caught, the proceeds far outweigh the risk: such is the mind set of today’s cyber criminals.
Cyber criminals attacking SAP platforms don’t do it because it is easy, but the motivation that SAP contains the organizations crown jewel far outweighs the possibilities of failing the hack.
SAP Security or IT Security must look further to innovative plans and pragmatic execution strategies which delivers capability for prioritizing cyber risks in order to solve the cyber challenges we face today!
As we saw in 2015, SAP cybersecurity responsibility continues to be addressed by individuals positioned below top management – usually at the program level – where security budgets are frequently not commensurate to the task. This has to change in 2016 and Top management needs to be more involved in their SAP cybersecurity initiatives
I leave us with an adapted poem; inspired by true cyber-events over the last 24 months.
First, they came for the NSA, …and I did not speak out— Because I’m not a spy.
Then they came for SONY, …and I did not speak out— Because I’m not a production studio.
Then they came for USIS, …and I did not speak out— Because I’m not an SAP user
Then they came for Ashley Madison, …and I did not speak out— Because I was not an adulterer.
Then they came for me— and there was no one left to speak for me”
Wishing you a Happy New year as we look forward to a cyber pain free 2016 for your SAP run organization!