No one has forgotten about the Target breach. Up to 70 million customers had their names, mailing addresses, phone numbers, email addresses and payment card information stolen. It was so devastating to the retailer that Target’s CEO was fired. But what people may forget is that it all started with a phishing email to an employee of Target’s third-party vendor Fazio Mechanical that resulted in acquiring his login credentials to Target’s Ariba vendor portal. Once inside, the hackers were able to gain access to Target’s point-of-sale (POS) systems where they monitored and stole the data. And the rest is breach history.
But it’s not history. Companies still have vulnerabilities in their procurement systems and the inside threat is only growing. In fact, research shows the inside threat is responsible for 60% of all breaches.
Do you think this doesn’t apply to you? Are you confident that your procurement system is secure? Let’s walk through a scenario and see if that’s the case. Let’s start with a temporary user. Maybe the user is an employee or a third party contractor. The user logs in to your procurement system and changes the bank account information of a vendor to his own personal account. After an invoice is paid, the temporary user logs back in and changes the bank account information back to the vendor’s account.
Now here are some questions that you need to ask based on this scenario:
- When you create a temporary or privileged user in your procurement system, do you have procedures in place to ensure the user ID has a defined expiration date?
- If you do have a defined expiration date, do you still have to deactivate the user ID manually?
- Do you know when the temporary user is logged into your procurement system?
- Are you able to detect anomalous behavior with that user ID? For example, if the user consistently logs in from an IP address in New York and then all of a sudden logs in from London, would you be alerted? Or if the user all of a sudden logs into the system at 3:00AM for the first time, would you be able to detect that?
- Do you know exactly what your temporary users are doing in your procurement system? For example, do you have insight into what they are looking at and what information they are changing in the system?
- Are you able to view an audit trail of each user?
We’ve talked to enough procurement and IT teams to know that the answer to the majority of these questions is a resounding no. And the problem goes beyond procurement. It goes to every system in the enterprise. For example, HR systems are prime targets too. By accessing HR data, a hacker is able to steal employee information and run more targeted phishing emails to gain access to more system credentials and even more valuable information.
A solution to this problem requires a shift in thinking though. It’s no longer sound policy to look at a solution for the inside threat as a ‘nice-to-have.’. The thinking must shift that it’s a ‘must-have.’ Investments need to be made in these solutions to protect your critical assets from the insider otherwise it will be too late. Once your data is breached by an insider, the damage is done.