Organizations using SaaS Applications are encountering an increase in fraud risks that traditional cyber security firms are failing to recognize. Most organizations focus on protecting the perimeter and risks related to ransomware and data theft, leaving the organization vulnerable to attack in neglected areas. Internet facing applications such as ERP Cloud, NetSuite, and Workday allow easy access and administration in our work-from-home world. Properly securing the applications means far more than securing the perimeter.

Threat actors have developed new strategies to compromise systems, often utilizing phishing attacks to steal credentials. Employees fall prey to the attack, only realizing the deception when their direct deposits are not dispersed on the next payroll cycle. Suppliers are at equal risk of being duped by phishing attempts. For organizations that allow suppliers to access ERP applications to maintain bank account data, successful attacks could result in stolen payments.

SaaS applications have exposed the ‘perimeter’ to be interface facing, eroding the traditional view of cyber security risk. Management and auditors need to address these risks through the implementation of MFA technologies. SaaS applications having varying maturity related to MFA configurations. Some are MFA inherent, and some allow for third party applications to be integrated. Management and auditors need be aware of what functionality is available in their SaaS applications and need to monitor the configurations as part of their ongoing threat awareness.

Administrative, supplier, and end user access also needs to be monitored. Some or all of these accounts may be required to use MFA. Those that are not, are extremely vulnerable to phishing attacks. One company we interviewed has not required their suppliers use of MFA and had three suppliers give up their credentials in a span of two months. This led to more than $250,000 in losses. Organizations need to reduce the attack footprint by ensuring that application roles are built based on the principle of least privilege. One common SaaS application – ERP / HCM Cloud – has these fraud risks built into many seeded roles including those assigned to employees, suppliers, and contractors.

Traditional cyber security companies do not provide services to test for these risks, but management cannot afford to overlook them.

ERP Risk Advisors can help you address these risks. Let us know if you want to have a conversation by emailing support@erpra.net.