The global and independent platform for the SAP community.
The opinion of the SAP community, IT Security Column, MAG 15-07

Honesty is the best policy - even with data outflows!

Does honest really last longest? As a child, this question was still easy to answer, but even as a teenager, some people sometimes resorted to white lies. Even at work, the definition of "right" can fluctuate: According to a study, one in five IT security managers has already experienced situations in which the companies affected by data leaks covered up the incident.
E-3 Magazine
22 July 2015
Content:
2015 xxx
avatar
This text has been automatically translated from German to English.

The outflow of data streams is, of course, not a purely IT problem. But CIOs, because of their position in the company, have the opportunity to ensure that dealing with it honestly is the only possible course of action.

The survey referred to was conducted this year at the RSA conference in the USA. Some conclusions are even more surprising; after all, a large proportion of the more than 1,000 respondents work for US companies.

In contrast to many countries in Asia and Europe, a reporting obligation in the USA is very strict. This means that covering up data leaks is simply illegal!

Nevertheless, many companies prefer to keep quiet about a data leak: The damage caused by compliance penalties, cleanup costs or negative press is enormous! Customers or investors could also jump ship - not to mention the share price.

Risky business

If cybercriminals want to compromise your organization, you must assume that they will succeed! As a CIO or security manager, you should at least foster a culture of openness.

The reporting of security incidents or even "just" suspicions should be welcomed and not be negative. Only then is there any chance of discovering possible incidents at an early stage.

This requires a certain framework. The first step is a comprehensive risk analysis. Only then can you sit down with the management.

This is primarily a matter of deciding what risk it is willing to bear. Every organization has different ideas here. Those that are willing to bear a higher risk will invest less in information security than the other way around.

Once this decision has been made, the next step is to invest the corresponding budget in tools for risk management and mitigation. In this way, the IT department has created good conditions to "watch its back".

After all, there should now be no reason to conceal data outflows. If this does happen, it is often due to uncertainties, a lack of structures, or the absence of a risk-based decision-making basis.

Unfortunately, very few explicitly train their employees on the desired code of conduct. In large organizations, it's often learning-by-doing. In small and medium-sized ones, even this is hardly the case. As a result, incidents sometimes "peter out" in the IT department.

Code of conduct as a blind spot?

It is therefore all the more important to explicitly define a code of conduct. This should also contain very clear rules on reporting incidents and suspicious circumstances, but also on how to deal with them.

Of course, this means a certain amount of effort. However, it makes more sense to put in the effort beforehand. In an emergency, everyone then knows how to act - and the probability that everything will go smoothly is significantly higher than with panicky ad hoc decisions in the heat of the moment.

It also allows each incident to be seen as an opportunity for improvement rather than a failure. It is an opportunity to learn and to sit down with management again with the lessons learned.

Be it to sharpen or strengthen their own profile - or (hopefully) to discuss an increase in the budget. And as if that weren't incentive enough, there's also the European Union's General Data Protection Regulation. When this comes into force shortly, we will have similarly stringent requirements and reporting obligations as in the USA, including very severe penalties for violations.

So this should be another good reason to prepare and introduce a risk-based approach in the company. Because with this legal background, honest really does last longest - and is the best way to improve security.

avatar
E-3 Magazine

Information and educational outreach by and for the SAP community.


All articles of the author

Write a comment

No-name column

Core competence: ERP software

Integrated cloud MES and analytics

The New SAP Boys’ Club

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 20, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.