All companies want to increase their bottom line and they focus on increasing the revenue or decreasing cost. In the recent years a very important 3rd factor has been added to the list: NOT LOSING MONEY!
Fact is that the so-called White Collar Crime (Internal Fraud) is the fastest growing crime in North America. In 2008, the first single incident averaged $175,000 in damages. Every 4th incident was over $1Million and 9 cases exceeded $1Billion (Source: Certified Fraud Examiners). The average fraud damages were 7% of the revenue.
It takes an a few years to detect an internal fraud scheme and it is normally only detected and stopped by internal whistle blowers. Conviction and punishment, as well as sending the right message to the employees, is mostly very difficult. Many successful fraud cases are never even detected since the thief is smart enough to stop before being detected, but the damages are already done. Chances are that you have fraud cases that you don’t know about
In the case of UBS Paine Webber a time bomb was planted to disable 1000’s of computers. The business loss was never estimated, but exceeded millions of dollars. It cost $3.1 Million dollars to bring the computers back up and running. Everybody knew who was responsible but his lawyer established quickly that 40 people had a password for the logon that was used to cause the damages. The lawyer used, what is called the SODDI defense (Some Other Dude Did It). Sine it is so hard to convict internal thieves, there is no deterring warning message to other employees.
Everybody has access to everybody’s password and an intruder will ALWAYS use a different logon with extended authorizations to commit a crime. In fact, all Segregation of Duties efforts (making sure that John can’t purchase a new laptop for himself and then go in the finance system and pay for it) are based on the assumption that John can only log on as John and use his own authorizations. Customers will agree that this is a misconception and in the security world we know that John would log on as his supervisor anyway to purchase the laptop and then use a profile from the finance department to pay for it.
Password sharing is common practice and 82% of all passwords are written down (SAP Info). The solution is to uniquely identify the Actual User behind the User Profile.
So the question is.......how are YOU making sure that YOUR SAP solution is SECURE?
This blog is dedicated to sharing news, views and debates within the IT, technology and SAP sector
0 comments:
Post a Comment