BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Three Critical Risks Plaguing The Enterprise In The Age Of Digital Interconnectivity

Forbes Technology Council

JP oversees the Innovation initiatives that keep Onapsis on the cutting-edge of the business-critical application security market.

The modern enterprise has become increasingly interconnected. Numerous applications, hosts, users, devices and networks are simultaneously exchanging information, both in the private and public cloud from locations all around the world.

Although this new state of operations has been highly beneficial for hybrid and remote organizations, the interconnected environment has also introduced a new level of complexity. With so much data being exchanged at once, organizations cannot obtain complete visibility into their IT ecosystem. They, therefore, cannot completely secure their evergrowing landscape of business-critical applications.

Business-critical applications, such as enterprise resource planning (ERP) applications, run the global economy. If organizations cannot ensure these applications are strictly secure, they not only place their own business at risk, but also data from their partners, customers and employees. As enterprises navigate their interconnected IT ecosystem, it’s crucial they have a true understanding of the threats placing their critical business systems at risk.

In this article, I'll examine three threats modern organizations face on a daily basis that can also be combated with the proper tools and mitigations.

1. Weak User Access Controls

Moving beyond passwords with identity and access management (IAM) tools like multi-factor authentication (MFA) and two-factor authentication (2FA) is certainly valuable in ensuring that networks are secured from unauthorized users.

These powerful solutions essentially guarantee that any given user accessing applications and data is the person he or she truly claims to be. However, in terms of business applications, there are other areas of concern that are not fully solved by deploying these solutions:

• Business applications are built on top of complex technology stacks and are often deployed with many service accounts, local users, interface users and standard accounts. Securing those accounts is paramount, but typically out of the scope of IAM solutions.

• Business processes tend to be highly complicated, as there are numerous users, internally and externally, requiring access to various files and data all at once. As a result, assigning the right set of authorizations to business application users is also a very complex process, and if not done right, could lead to significant business risks, such as segregation of risks and critical access.

Even the highest level of network authentication can’t prevent a disgruntled employee from accessing private company files stored within critical business systems and leveraging them to their advantage. For example, an employee who works in the human resources (HR) department can access highly sensitive financial documents and leak them to the public.

Enterprises must regulate which users are authorized to access what applications, transactions, resources and systems; otherwise, their entire system will remain vulnerable. For instance, it’s crucial that only the HR department can access HR-related applications and files and is unauthorized to access files pertaining to other departments.

2. Poor Patch Management

Research shows that the average length of time from the date a vulnerability is identified to the date a patch is applied, tested and fully deployed is a staggering 97 days for endpoints, according to a report by SAP and my company; servers and applications can take even longer to close the security patch loop. While threat actors are constantly lurking for unknown vulnerabilities, they tend to pay particular attention to patch releases. In fact, attackers have been found weaponizing SAP vulnerabilities within 72 hours of a patch release, while it has taken as little as three hours for hackers to exploit newly discovered vulnerabilities in internet-facing business applications.

Unfortunately, even when provided with the necessary mitigations, organizations significantly fall behind in patching vulnerabilities. This is often because the process of manually installing every patch can be too time-consuming for IT teams who already have very limited bandwidth or have prioritized other projects. When organizations are struggling with an accumulation of patches, it can be difficult to select which patches to prioritize first.

Technology can help alleviate these issues. Solutions such as vulnerability management platforms, for example, can provide organizations with visibility into their IT ecosystem, including on-premise, cloud and hybrid environments. Consider tools that help security teams keep a comprehensive record of all their assets, identify previously unknown vulnerabilities and obtain a full understanding of their attack surface.

3. Custom Code

Custom code is a critical component of the enterprise, as organizations typically use it to adapt business applications to map their capabilities and match their existing business processes. Despite their criticality, code statements are often prone to security bugs, with industry experts estimating that there are an average of 20 to 30 bugs per 1,000 lines of code. Organizations tend to address these vulnerabilities through manual code reviews, which are prone to errors, labor-intensive and generally cannot identify the majority of critical vulnerabilities that can affect the security and compliance requirements of business-critical systems.

To discover and remediate security vulnerabilities in the custom code of business applications, while preventing external and internal attackers from accessing sensitive business data, enterprises must deploy automation. Automated tools can scan and analyze millions of lines of code in only a few minutes, detect any bugs and immediately mitigate their risk.

Conclusion

Every organization today is interconnected in some way and may be prone to the risks highlighted above, among many others. It is of utmost importance that the necessary precautions and mitigations are implemented to prevent sensitive business information from falling into the hands of a malicious actor.

By making cybersecurity a priority, enterprises can confidently ensure their business-critical systems, and all of their valuable data, are secure.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


Follow me on Twitter or LinkedInCheck out my website