The Challenge of Protecting Business-Critical Data and Applications
Published 04/25/2022
This blog was originally published by Onapsis here.
Global market intelligence firm IDC conducted a market survey in Germany in September 2021 to explore the challenges enterprises are currently facing in the development and running of security landscapes, as well as the plans they are pursuing to adapt their cybersecurity to future IT challenges. Read the brief in full here.
The challenges examined by IDC are ones we've heard time and again from customers and prospects seeking to secure their most critical business systems. Over the last ten years, we’ve seen a lot of change and new initiatives around application security that have many organizations taking a closer look at how they handle security and compliance. There are numerous challenges for keeping business-critical data and applications secure. What are these challenges, and how can they be overcome?
Cloud Migration
Business-critical applications hold valuable business, customer, and employee data. While traditionally kept on-premises with layers of security, the shift to the cloud has evaporated the perimeter. With increasing interconnectivity between on-premises and cloud environments — between internal and third-party systems — exposure and risk grows. Managing these externally-facing critical systems has become increasingly complex, with research from SAP and Onapsis showing new unprotected SAP applications provisioned in cloud environments are being discovered and compromised in less than three hours.
Digitization of Operations
The last two years have also accelerated the digitization of customer and supply-chain interactions and operations. To support this reality, many companies have adopted their crisis-related changes long term, with cloud migrations and SaaS adoption skyrocketing and a hyper focus on digital customer experiences. At the same time, the urgency of these changes did not allow for optimal security. 91% of IT reported feeling pressured into compromising security for business practices.[1]
Cloud and internet-exposed business-critical applications that help foster new processes and business opportunities increase the attack surface — and threat actors know it. Vulnerabilities in supply chains were at the forefront of 2021’s news cycle, from oil and gas pipelines to meat packing plants. Although the various causes of these issues may differ, the impacts are the same: company downtime and lost revenue.
Speed Over Security
When many began working from home in 2020, IT and security teams focused on speed over security as they stood up infrastructure to drive productivity and enable business as normal. 60% of IT decision makers’ main priority was to deliver projects more quickly.[2] In combination with shifted or slashed budgets, this has resulted in security best practices being put on the back burner. Given the already vulnerable state of these core systems, continuing to overlook the security of business-critical applications like ERP, SCM, HCM, PLM, and CRM leaves organizations as prime targets for internal misuse and external attacks, exposing sensitive information and leading to downtime that hinders business operations.
Incentive for Cybercriminals
Going back a decade or so, hacking knowledge was limited to individuals that understood the technology, but lately, it’s never been easier to get into the cybercrime game. Cybercrime is a $6 trillion annual industry, making it the world’s third largest economy after the U.S. and China. And cyberattacks are now a part of global relations and modern warfare. Compared to other criminal activities, cybercrime has relatively low risks: threat actors have a lower chance of getting caught, a large majority of cybercrimes aren’t reported, and being able to operate from anywhere with internet access also allows scammers to bypass law enforcement by working in countries with limited digital crime laws.
Finite Resources and Budget
Despite the general trend of growing global spend for application security, budget and teams are finite. More than 57% of organizations have been impacted by the cybersecurity skills shortage; one of the top three areas of significant cybersecurity skills shortage is application security. Even a well-staffed team is challenged with limits on their valuable time as they prioritize workloads. Many organizations have difficulties in manually managing patching efforts, which leads to missing or deprioritized patches. And, this is only one part of overseeing business-critical applications. Organizations don’t have an easy way to validate if their applications are following best practices for configurations or user privileges, leading to unaddressed risk and open attack vectors.
Research Shows Threat Actors Targeting Application Layer
Perimeter and endpoint defenses are a necessary component of every organization’s cybersecurity strategy, but this approach is proven to be inadequate at effectively protecting the application layer. As evidenced by threat intelligence from SAP and The Onapsis Research Labs, threat actors are increasingly targeting the application layer directly. These cybercriminals have the motivation, means, and expertise to identify and exploit unprotected business-critical SAP applications — and are actively doing so. Attackers with access to an unpatched SAP system can steal user credentials and personal information, exfiltrate confidential information, cause financial harm, and even perform a full remote SAP system takeover. For organizations that must meet regulatory compliance mandates, such an incident can lead to expensive third-party audits and penalties, including fines and legal action.
Strengthen Your Business-Critical Application Security
Given the above realities and recent headlines, strengthening business-critical application security has never been more important. Here are five courses of action you can take right now to ensure that your organization and your business-critical applications are protected and resilient:
- Reduce The Window of Vulnerability: Increase your vulnerability scanning frequency to reduce the time between point-in-time discoveries of unidentified vulnerabilities potentially present in your landscape.
- Prioritize Remediation of Critical and High Vulnerabilities: There’s no time like the present to accelerate your patch management process, especially for those prioritized critical and high vulnerabilities in SAP. This includes the most recent ICMAD vulnerabilities which can potentially lead to unauthenticated, remote full system takeover. Internet-facing systems should receive the highest priority. (Please note that we published a free scanning tool to help the SAP community find systems that are vulnerable to ICMAD. Download it here.)
- Continuously Monitor Your Critical and Connected Systems: Consider enabling continuous monitoring for all critical systems. Past research points to threat actors directly targeting the most vulnerable systems.
- Ensure the SOC Has Full Visibility: Connect and validate that the relevant alarms are getting sent directly to your XDR, SIEM, etc. Equally important, ensure your security runbooks (and business continuity / disaster recovery plans) document appropriate incident response for business-critical systems.
- Prepare All of Your Employees: Prior research demonstrated that 74% of breaches were a result of access to privileged accounts. Ensure that all your employees are hyper vigilant to phishing and malware threats. Continuously monitor access to your critical systems.
More Resources
- Study: IDC Executive Brief about Cybersecurity in 2021
- Threat Intelligence Report: Onapsis and SAP Partner to Discover and Patch Critical ICMAD Vulnerabilities
- Blog on Log4j Vulnerability: Threat Intelligence and Mitigation Strategies to Protect Your SAP Applications
[1] HP Rebellions & Rejections Reports
[2] A Forrester Consulting Thought Leadership Paper Commissioned By IBM January 2021 The Key To Enterprise Hybrid Cloud Strategy: An Annual Forrester Consulting Study Commissioned By IBM
Related Articles:
A Vulnerability Management Crisis: The Issues with CVE
Published: 11/21/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
AI-Powered Cybersecurity: Safeguarding the Media Industry
Published: 11/20/2024