BYOD & Allowing Mobile ERP Access: Evaluating Potential Risks

By August 8, 2019 Security,

Organizations are rapidly shifting to workplaces without boundaries – teams are globally dispersed and companies are adopting work-from-home and BYOD (Bring Your Own Device) policies. This desired flexibility has become table stakes for organizations looking to recruit and retain top talent.

Because this means employees are accessing company data outside of the company’s secure network – traditional measures to secure data (ex. firewalls, perimeter network security, etc.) are no longer adequate. According to a survey conducted by Black Hat, 73% of respondents said that conventional perimeter security firewalls and anti-viruses are now obsolete.

As such, the role of the CISO has become more complex. They now face the task of securing data on networks and devices outside their traditional scope of control.

BYOD & PeopleSoft Fluid UI

The PeopleSoft Fluid user interface was introduced as Oracle’s strategic initiative to deliver a modern, mobile user experience. Once enabled, users can access PeopleSoft applications on a smartphone, tablet, (along with) desktop. However, enhanced mobility and usability have ushered in new concerns related to maintaining data security, as users are accessing self-service applications away from their corporate networks.

Expanding access to sensitive data beyond the secure network increases the risk of a data breach – and hackers are well-aware. Hackers are researching and targeting key stakeholders, knowing that a username and password is all they need to gain access to data.

With this in mind, below are some of the threats associated with implementing BYOD policies:

Unauthorized Access

The downside of a BYOD policy is that access cannot be controlled or managed centrally by an administrator. When access is ultimately controlled by the mobile device itself, the theft or compromise of a mobile device can increase risk exponentially. In the case of a device theft (ex. a phone or laptop stolen out of a coffee shop or vehicle, etc), the organization would have no defense if an ERP password were saved in the device’s password manager – and you know it always is!

Solution:

Organizations can minimize the risk of unauthorized access attempts by implementing a multi-factor authentication system. A single device no longer becomes the gateway to an application, as an MFA dictates that there are three forms of authentication: something you know (user name and password, typically), something you have (a phone that can receive app-based or SMS confirmation requests, for example) and something you are (the rapidly evolving arena of biometrics). MFA requires the use of at least two of these authentication methods before allowing access.

Accidental Data Leakage:

Carelessness and negligence by users are some of the leading causes of accidental data leakage. The BYOD trend can potentially multiply these risks, as users are continually using their devices to send and receive information over email, text, IM, and other means. Data becomes more vulnerable to hackers when shared over a non-secure network.

Collaboration tools that leverage mobile apps, like Slack are becoming common in the workplace, meaning communication amongst employees is becoming more frequent, rapid, and (generally) more casual – all of which differ from the style adopted by traditional email correspondence. This casualness can lead to employees sharing sensitive information across an unknown network – leading to opportunities for data to leak out inadvertently.

Corporate email solutions can scan for credit card numbers, social security numbers and other data formats that can be indicative of sensitive information – however, these mobile collaboration tools lack the same capability.

In addition, devices purchased for personal use (ex. a personal laptop or desktop) and used on occasion for professional work tasks – many of which have automatic cloud back-up mechanisms – can lead to information inadvertently leaking away from the originating device and into a content management system. Cloud storage systems are frequently hacked, so a sensitive report getting into the wrong hands can lead to damaging results.

Solution:

Enabling contextual access controls can differentiate the privileges of a user when they are working away from a secure, corporate network. Using this solution, users are granted limited access to sensitive transactions based on their location or privileges. As a best practice, leveraging the principle of ‘least privilege’ can limit the risk of users accidentally leaking data.

Summary

Enabling BYOD has inherent benefits – employees are happier, more productive, and an organization is able to expand the reaches of their business practices – but enabling a BYOD strategy should come with caution.

It is important to understand that ERP applications like PeopleSoft and SAP were designed long before BYOD practices existing and do not have the native controls to keep up with the evolving security risks that accompany BYOD strategies.

If you’re interested in learning more about enhancing your ERP data security posture in the wake of expanded access and BYOD, you can Contact Us and we’d be happy to walk you through how you can fills these security gaps.

Want to see what Appsian can do for your ERP systems?
Request a Demo
Appsian

© 2019 Appsian. All rights reserved. | Privacy Policy