SAP Cybersecurity and Your Staff: The Human Factor
Nov 14, '18 by Joerg Schneider-Simon
“I have read and understood the company’s IT policy.”
Employees check the box, but are they adhering to the policy? The evidence suggests otherwise: In a survey of IT professionals, employees leaving laptops and phones unsecured in vulnerable places was listed as a major threat to corporate cybersecurity.
This is worrisome enough, but with an increasing number of organizations accessing SAP through their laptops and phones via SAP FIORI, the news gets worse. Careless cybersecurity practices by employees can easily put mission-critical SAP systems (and the data contained therein) at risk.
So, what can you do to improve employee adherence to cybersecurity policy?
Save the Paperwork for Later
Many companies do no more than hand an employee a copy of the policy and a signoff sheet, leaving it up to the employee to read through a tedious list of rules and regulations. The employee signs off, agreeing to follow the policy, but very well may not have even read it in the first place.
Instead, engage employees in an awareness session first. Hearing clear and relatable examples of how to adhere to cybersecurity policies (and why it’s important) give employees a much more compelling reason to learn and follow the policy.
Let Them Know the Stakes
Part of an employee’s laissez-faire attitude toward cybersecurity may simply be a lack of understanding of the consequences. Staffers without an IT background may know what cyberattacks are, but not what they do, or how cyberattacks can affect your SAP system.
It’s important to educate all employees, from the CEO to the temp, on the precise chain of events that can take place if they leave their laptop or phone unattended or select weak passwords. It’s equally important to emphasize that these cyberattacks can also affect them personally. After all, how many employees have never checked their social media, sent a personal email, or conducted banking or e-commerce transactions from their work laptop or phone?
Provide Regular Training
The world of cybersecurity changes daily, with cyberattacks increasing in scope and sophistication. And yet your CEO may not have even looked at the cybersecurity policy since 1997, when she first joined the company.
Cybersecurity training needs to take place regularly, to refresh employees’ knowledge and provide any important updates. Keep things interesting: Instead of regurgitating the same presentation every year, share a news item about a recent high-profile cyberattack to spark discussion and education, or provide some fresh new stats on cybercrime. The more engaging and interactive the training, the more likely it is to be retained, so don’t be afraid to ask staffers what they’d like to learn about.
Have Rules – But Reasonable Ones
Employees who are forced to change passwords every month will likely wind up jotting them down on a sticky note or in an electronic file, rendering the password-changing exercise pointless. By making the rules frustrating and inconvenient, organizations are simply driving their staff into finding less secure (but more convenient) workarounds.
Prioritize instead. Select the top few cybersecurity measures that will make the biggest difference and make adherence as easy and convenient as possible. Other cybersecurity measures can be presented as best-practice recommendations during training sessions, empowering staffers to take those extra measures on their own to strengthen the organization’s armor.
Go Beyond Policy Training
It’s imperative for employees to be familiar with the IT policy. But if they’re not taught how to recognize and respond to cyberattacks, an elevated risk will remain.
Phishing is a common form of cyberattack which is often targeted toward employees who receive a large number of documents from outside sources. An example would be an HR manager who receives CVs via SAP E-Recruiting, or an Accounts Payable clerk who receives invoices via email. If these employees are not made aware of how phishing attacks work and how to recognize them, they could very easily wind up opening an attachment that contains malware.
Provide all employees with a clear strategy for what they should do if a cyberattack or suspicious event does occur, to help limit the damage and instill confidence.
Don’t Forget Mobile or Remote Employees
As mentioned, a major security risk is employees leaving laptops and phones unsecured and vulnerable. SAP FIORI allows remote staff to access commonly used SAP applications like CRM, SRM, and ERP from their laptops or phones while in their home office or on the road. This mobile access is vital for sales staff, or for other employees out in the field, helping business processes move faster and more conveniently.
However, because these employees are accessing SAP in an unsecured environment and often, through an unsecured network, the risk of cyberattack increases exponentially. Be sure to arrange for specific training with remote or mobile staff, clearly explaining the risks of careless cybersecurity and what steps they should take to protect the company’s data and systems.
Talk to Partners
The human factor in cybersecurity doesn’t only apply to employees. It also applies to vendors, partners, and customers. If a vendor is able to upload documentation to a company’s SAP system, their cybersecurity (or lack thereof) has a direct effect on the security of the company.
When negotiating with any party who will have access to SAP login credentials, be sure to emphasize how seriously you take cybersecurity, and provide them with a short list of best practices that you need them to follow. Positioning these best practices as a way to protect both parties from cyberattacks is an excellent way to gain cooperation and understanding, demonstrating that you’re all on the same side.