In the wake of the COVID-19 pandemic, organizations across the world have allowed their employees to work remotely. Employees have been accessing data from setups very different from that of the office. Under such circumstances ensuring ERP data security has become a big challenge for organizations. In this scenario, the context of access becomes extremely important. ‘Context’ means the time of day, location, type of device, URL, etc. Contextual variables are the key drivers when it comes to identifying suspicious behavior that would otherwise have gone unnoticed in today’s “always linked” environment. More so, when access to business systems is supposed to be ubiquitous.
The Scope of Access Has Expanded
Although mobile ERP access means added flexibility, a higher risk of exposure comes with this flexibility. It is essential to realize that the ever-changing access context is where the possibility of unintended exposure to data eventually lies.
The context of access can take several shapes. For example, accessing office applications from an unknown network, accessing from a foreign country while on a business trip, and the like. Access context shifts every moment in a mobile environment, creating a significant risk. It would be right to believe that you do not want your high-privileged users to access confidential company information from locations where their session might be compromised.
Unfortunately, conventional ERP systems are not designed to deal with that variable risk because ERP roles and permissions are static. This means that if you are a high-privilege user in your workplace, you are a high-privileged user everywhere outside of the office too!
The Threat of Unintentional Data Leakage in Mobile Environments
Even the most well-meaning employees will unintentionally leak information. Mobile access, for example, involves using personal devices for work, which is inevitable. Most mobile devices are shared amongst members of the family and have automatic backup systems. Confidential data accessed from a personal device can be used in a cloud backup without the employee even realizing it. Now, the data remains in personal storage and is totally beyond the reach of the enterprise forever.
The Significance of Contextual Access Controls
Many believe that the most prominent data hazards are network-centered, and that assumption is not incorrect. Large-scale events have usually been the most massive, most headline-grabbing data breaches, where millions of records have been exposed. Sophisticated firewalls and network access controls have been introduced by organizations to keep themselves out of the news. But data threats are becoming increasingly ‘user-centric’-the most prevalent being phishing/spear-phishing.
Phishing / Spear Phishing has proved to be incredibly successful on users who work outside the workplace: checking emails quickly during offsite meetings, working late at night or early morning from home, or any other situation in which the atmosphere of a user offers just enough diversion to fall for a phishing email.
Given that mobile access increases risk manifold, should not organizations incorporate controls that dynamically enforce policies when risk is considered high? After all, when you visit a website that is not safe, your internet browser warns you. The incorporation of contextual controls enables companies to match their business practices with their security policies.
Conclusion The concept of introducing contextual access controls is not new. Cloud Access Protection Brokers have allowed organizations to have greater control and visibility over their cloud applications, but they have not included traditional on-premise ERP applications in these strategies. To overcome the risks that mobile access poses, organizations must implement contextual access control policies.
