Interview with Ángel Maqueda, LOYIC Systems Manager
We closed 2019 without any incidents caused by a computer attack on our customers' SAP Real Estate modules. However, we aren’t lowering our guard and we are maintaining surveillance intensity: “Total security does not exist and we are always going to be at risk”
At LOYIC we ended 2019 without any incidence of cyber-attacks affecting our clients’ SAP modules for real estate management. Great news, which has been extended through 2020 so far. Ángel Maqueda, our Systems Manager, attributes this success to keeping our five senses activated with regard to cybersecurity at all times, although he warns that “total security does not exist and we will always be at risk of attacks.”
Good security in the ERP system is vital, because it is where the ‘heart’ of businesses and organisations is housed: all the critical information on contracts, revenues, expenses, and so on. Angel warns that companies pay a lot of attention to protection against external attacks, but forget that most problems come from within. The advice he emphasises the most to avoid scares is this: “Never trust an email from a sender you don't know that asks you for login credentials, has attachments you don't expect, or tries to extort you.”
QUESTION. Are cyber-attacks common in the SAP environment?
ANSWER. Every computer system is constantly under attack, every day, including SAP systems. That is why good security is essential; it is one of the most important aspects for keeping systems running. There are usually no successful cases of cyber-attacks on SAP systems published, so there is no news of hacking. Outside this area, they do exist. The last significant case occurred on November 4, 2019.
Q. What can the consequences of this kind of computer attack be for a company?
A. Recently, criminals seek, above all, to enrich themselves with ransomware attacks. These are programs that encrypt and paralyse the victims' systems and then demand money to restore them, allowing the victim to regain access to the data and systems. There are also DDoS attacks that seek to paralyse services for a time, resulting in losses due to unproductiveness.
Q. Are there more ‘silent’ information thefts, or one-off service crashes?
A. I would say that attacks targeting silent information theft are more numerous, as it’s possible to get a greater return from them than from an occasional service crash.
Q. What does LOYIC do to ensure the security of the software it installs for its customers?
A. At LOYIC we always have security in mind, for our systems as well as our customers’ data. We try to keep up to date with cybersecurity at all times, aware that total and perfect security does not exist; we are always going to be at risk of cyber-attacks.
Q. Are the security protocols that are applied always the same or is each case unique?
A. We could say that in terms of security there is a mandatory ‘base’ that all companies should follow. Aside from that, depending on the type of company and its business model, emphasis is placed on protecting what is considered most critical to business continuity.
Q. In LOYIC's 20-year history, have you experienced any particularly difficult situation due to a cyber-attack against any of your customers? How was it resolved?
A. Yes, in May 2017, with the global WannaCry attack; and on November 4, 2019, with a different ransomware.
In both cases some customers were affected; access to their systems was cut until the attack was resolved. And in both cases we were able to prove that our systems were safe and that the exploit used in the attacks (that’s what the masked software causing the corruption is called) had been patched in our systems months before.
Q. Would you say a cloud-based ERP deployment is more secure? Are companies that do not have cloud ERP at risk of ‘relaxing’ because they believe their system is internal and accessed by a limited number of users?
A. Given that total security is a utopia, cloud and on-premises systems are also at risk of attack. The big difference with SAP system users who install ERP on their own infrastructures is that these companies can manage the security of their environments themselves. This provides added peace of mind because of having complete control over security. But, careful, this doesn't mean that cloud-deployed systems are less secure, it just means that the company feels more comfortable because it controls the management of its own security.
Q. Is over-confidence the biggest risk companies often face when it comes to ensuring the security of their ERP?
A. Normally companies take protection against external attacks into account, but forget that most successful attacks come from the inside, whether through malicious mail, pen drives, fraudulent pages, phishing, etc. That is why it is important to raise employee awareness and have everyone familiar with some best practices regarding safety.
Q. What advice do you repeat the most?
‘Never trust an email from a sender you don't know that asks you for login credentials, has attachments you don't expect, or tries to extort you.’ In 99.9% of cases, this is an attack.