People often rely too much on manual access controls
I recently reviewed an SAP study on how to prevent access risk and fraud and found some interesting points. The study was prepared by InsiderRESEARCH who conducts independent research for SAP customers. The group recently collected 183 online surveys and 17 in-depth interviews with security-focused professionals at companies running SAP Enterprise Resource Planning (ERP) but was limited to companies that do not use SAP BusinessObjects Access Control to manage their access risk management practices. Access risk management describes the set of processes and controls that are put in place to manage the risk that unauthorized users will have access to systems and information.
Overall, the majority of those surveyed are serious about protecting their critical applications from the risks associated with user access. In fact, the vast majority — 69 percent — said managing access risks is “very” or “extremely” important to senior leadership in their organizations. However, the same group found it challenging to establish and maintain a comprehensive program for managing access risk.
The main struggle for companies with regard to guarding such important activities is because they often rely on piecemeal manual processes. When companies move beyond manual processes and use a centralized, automated solution, they will see it is key to preventing undue access risk.
Why existing solutions aren’t doing the job
Companies using solutions based on manual processes and spreadsheets reported serious challenges to managing access risk. Many of these challenges can be solved with a dedicated, automated access risk management solution. Here are some questions to ask yourself to evaluate how well you are currently covering access risk.
1. What risks are you missing?
Manual processes cannot deliver a true picture of risk. To effectively manage access risk, companies must be able to assess risk within each application as well as across all applications.
As well, manual processes are subject to human error and complacency. With an automated, rules-driven solution, companies can easily identify comprehensive access risk and have an enterprise-wide view of the relative risk each user poses.
2. What’s the real cost of your current solution?
One reason so many organizations rely on manual processes is their misconception that manual is cheaper than an automated solution, though few survey respondents could offer any estimate of their current program’s cost. They also noted that resources responsible for maintaining the program were divided among several departments and job roles, only adding to accounting difficulties.
The question of hidden costs arose, too. However, once the cost of the entire access risk management program is added up, companies will gain a clearer perspective of their current spending. Additionally, an automated solution offers centralized, workflow-driven processes that reduce costs and save time and money through the audit process.
3. Are you preventing risks or chasing them?
When it comes to safeguarding critical business applications, a preventive approach is more secure and efficient than a detective method, and the manual solution at most companies is entirely detective-oriented. The alternative preventive approach, in which access risk analysis is embedded into the provisioning process, allows companies to prevent unmitigated segregation of duties (SoD) violations rather than continue the cycle of analysis and remediation.
The benefits of a comprehensive access risk solution apply equally to companies of all sizes in any industry. A major step in evaluating a company’s readiness for an automated solution is by engaging in a candid assessment of current access risk management programs to determine if they meet the company’s standards for risk tolerance.
For a complete copy of this report click here to view it in PDF format (opens in a new window).
