Unstructured Data and SAP
Dec 17, '18 by Joerg Schneider-Simon
Quick: When you think of data breaches, what comes to mind?
If you’re like most people, you think of cyberattacks that target structured, secured databases. These cyberattackers steal reams of sensitive data, often selling the data to the highest bidder.
However, there’s an entirely different type of data theft taking place, and it’s one that’s slipping under the radar of many organizations. This new attack vector is unstructured data.
What Is Unstructured Data?
Unstructured data is any data that lives in emails or documents as opposed to in a secure environment.
Here is an example: An administrative clerk at a packaging manufacturer is creating month-end reports. She pulls sensitive financial data from the SAP ERP system to gather the numbers on units sold, units produced, cost per unit, costs for materials, overall revenue, expenses, and any other information that she needs to share with the board of directors. She compiles all of this information in an Excel spreadsheet and then sends the spreadsheet to her boss. Once approved, it’s sent out to the rest of the C-suite for their review prior to the board meeting.
So now we have sensitive data about financials, production, and even supplier price points that has left its secure ERP environment and is being passed around via email.
Which is easier to break into? SAP ERP…or an employee’s email account?
Many cyberattackers are taking the easier route and choosing the latter.
How Big of a Problem Is This?
It’s big. While there is no way to accurately obtain hard numbers, it’s estimated that 80 percent of the world’s data is unstructured. Considering how many companies share daily reports with their entire staff, this number is not particularly surprising.
The alarming part is that unlike with structured data repositories, there is little way to monitor or control unstructured data (hence the difficulty in determining the overall amount of unstructured data in the world). Emails and files can easily be forwarded from person to person and can quickly leave the security parameters of an organization’s email server.
How? Consider our plastic packaging manufacturer’s board of directors. As a general rule, board members are not employees, and so may be using personal email addresses for their board, correspondence. To add to the risk, some directors may be prominent public figures, increasing the odds of them being popular targets for email hacking. The risk doesn’t stop at the board. If your company is unionized, their union support staff may have access to unstructured data in the form of wages and personal information. Even regular employees may email files to their personal accounts or save them in the cloud to work on them at home, bringing that data into a much less secure environment.
This problem is brought into even sharper focus by GDPR. If an individual asks a company to remove their name from the database, that’s easy enough to accomplish. But what about all of the old spreadsheets with that person’s name, that are now languishing in countless email archives and download folders? Any consumer data residing in these unstructured environments could expose an organization to GDPR’s eyewatering penalties.
What’s the Risk to SAP?
In a word: credentials. SAP, being a secured environment, will not be immediately affected by an email hack. However, it’s the contents of the stolen data that put SAP at risk. Let’s say a new employee is sent an email by his boss, notifying him of his SAP login credentials. The employee saves the email in a folder called “logins,” so that he can refer back to it if he forgets his password. (Yes, people do this.) After a few days, the password is memorized, but the employee doesn’t think to go in and delete the email.
Seven weeks later (just under the company’s password expiration rule of eight weeks), the employee’s email is breached. The delighted cyberattacker finds the email with the SAP credentials and promptly logs in, where they merrily steal or sabotage every scrap of data they can get their hands on.
How to Handle Unstructured Data
Getting a good grasp on unstructured data is not a quick fix. However, neither is dealing with the PR (or GDPR) nightmare that may accompany a data breach. Here are four ways to regain control:
Time for Housekeeping: Take the time for a data audit. Where does your sensitive data live? Are reports neatly organized in specific and restricted folders, or can they be accessed by any employee and are stored in their own download files? Talk to your employees, board members, and any other relevant parties about data security and request that they continually delete any sensitive attachments in their work and personal email folders (including Sent) and in their own computers’ drives.
Control the Access: You are likely already restricting access on some sensitive data, like personnel files. But are you doing that for all sensitive data, like financials? Implementing robust data access governance can go a long way toward reducing the risk of breaches. Review the “need to know” situation when it comes to your data and restrict access to only those who truly require it.
Encourage Smart Sharing
Even if your sensitive data is only restricted to a certain few, there may still need to be file sharing taking place. Encourage employees to password-protect or encrypt sensitive attachments before emailing them, and to communicate the password by phone instead of through email —especially not in the same email as the attachment! (Again, people actually do this.)
Same Server, Less Problems
Your team has control over your own email server, but not Gmail’s or Hotmail’s or Yahoo’s. Non-staff who are regularly sent sensitive data (i.e. your board) should be provided with email accounts from your organization’s server, with correspondence from you going to only those accounts.
Gaining control over unstructured data can feel like trying to rake leaves in a windstorm. The good news, however, is that every little bit helps. By implementing stringent governance on your unstructured data, you can greatly reduce your risk surface, making it much more difficult for cyberattackers to succeed.