Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

Eliminating the Wrong Guy…

  • Font size: Larger Smaller
  • Hits: 6304
  • Print

A couple of years ago, we included a “Lock User” button feature into our security product. If you received a “very high” alert, you could log into the system, catch the fraud in action, press the “Lock User” button and prevent the thief from stealing. Bam…. you’re the hero.

b2ap3 thumbnail iStock 000001818765XSmall 

Well, it was good in theory. In practice, it was more or less the first thing that customers asked us to remove. 

Remove? Don’t you want to stop the fraud in action?” I asked the Security Manager of a large New York bank who had requested this change. “How can you not want it?” 

The CISO, who was a dignified, experienced professional in his 50’s, calmly replied, “Let me give you a scenario and you’ll understand the issue with your 'Lock User' button.” 

He offered me a coffee and continued, “Imagine I get an alert on my Blackberry at 3:00 a.m. The ProfileTailor system tells me that someone’s using a sensitive activity, say, approval of very large purchase order from an unsupported device. As this is very suspicious, I quickly log in remotely to my computer at the office and catch User S0677325 red-handed, approving a purchase order. Without any hesitation, I click the coveted 'Lock User' button. Now, I feel better, we’re out of danger, and no one’s performing suspicious activities on my shift. I fall asleep feeling great."

"In the morning, the CIO comes into my office and says, 'The CEO wants a meeting. Why did you lock his User yesterday?'” 

"You can imagine it’s not going to be a good meeting. Yesterday, the CEO was in France, which is six hours ahead, and he tried to approve a very important invoice via his smartphone. Suddenly, he was locked out with no way to reconnect." Oops. 

A Bigger Risk Than Fraud

I discovered that the “Lock User” button can unintentionally create a very large risk – that of preventing business from running. Many CEOs and CIOs will say that they would prefer $20,000 of fraud to even the shortest business interruption which could potentially cost $100,000 or even $1,000,000. 

CISOs and CIOs must always compare the benefit of security activities against the potential risk of preventing or slowing down business activities. I have witnessed that more experienced CISOs handle security activities more cautiously, carefully considering the impact on the business.

Fraud in ERP Systems Progresses Slowly 

It is quite hard to perform significant fraud in a complex system, especially these days with all the strict regulations. From our vast experience, I can tell you that in most cases the fraud will begin slowly and insignificantly. The person performing the fraud will probably be an employee who starts by testing the security of the system. He’ll try looking at sensitive tables, like invoices and customers, maybe change a vendor’s bank account by one digit, and other small trivial activities. He’ll usually keep going until he commits real fraud. 

Using a system that can identify irregular activity by detecting small changes is the best way to prevent large fraud at the initial stage – it can detect access to sensitive tables or changes to the vendor’s account – and alert about it. A phone call from the security team to the exact person will most likely cut any future plans for getting at the big money, without locking anyone out or putting business processes in danger.


Dror Aviv joined Xpandion in 2010 as a programmer in the R&D team. Combining technical knowledge with implementation skills, Mr. Aviv serves today as a Senior Implementation Advisor, bringing with him extensive hands-on experience from the field. He works closely with customers at their sites, and is an expert in defining customer needs, translating them into business process and implementing them via ProfileTailor Dynamics’ suite of products.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
in XpandionPosted by Yoav Michaeli

Optimize Licensing Costs. Increase Security

These are amongst some of the most worrying words that enterprises and managers can hear.  And, yet, they are a part of day to day terminology- whether whispered behind  soundproof board room doors, discussed openly by upper management or colleagues addressing them casually over the wate...
in XpandionPosted by Yoav Michaeli

Do You Understand the Meaning of Behavior-Based Profiling?

Xpandion creates “behavior-based profiling” for business applications. Sounds impressive, huh? However, do you know what it means, exactly?

in Security & AuthorizationsPosted by Dror Aviv

The SAP Security Paradox: Irregular User Activity

“How Many Times?” We, and our partners, often ask ourselves that very question after hearing case after case of employee fraud being committed at an enterprise. How many times will these companies endure suspicious activity by their employees before they get the right tool to send them alerts about...
in Security & AuthorizationsPosted by Yoav Michaeli

Hooray! We Caught a Thief!

This is a true story from last week – an Xpandion expert received a phone call from one of our European clients, claiming they just received a High Risk Irregular Behavior alert pertaining to unauthorized access of salary information. After a quick investigation using ProfileTailor™ Dynamics, it was...



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India