When we think of cyberattacks, we usually think of bank accounts being raided and passwords stolen. But according to the U.S. Cybersecurity & Infrastructure Security Agency (CISA), older enterprise resource planning (ERP) systems are a top target of tech criminals.
ERP security is crucial because these systems are at the core of what an organisation does. They integrate data and processes from across the enterprise, ensuring streamlined and automated operations. However, as a single repository of all the information that keeps the system functioning, if breached they can also provide a gateway to the most sensitive and valuable information an organisation possesses. The damage that can be done if unauthorised access occurs can be enormous, both financially and reputationally.
Flaws and failings within legacy systems are not the only vulnerabilities inherent in ERP setups, however; by their very nature even the most modern setup can be the soft underbelly in an organisation’s IT architecture because they are connected to the outside world via the internet: theoretically, with the right access information, anyone could gain access to sensitive data or cause damage.
Hacks come in many forms. Unauthorised access to ERP systems often results in the deployment of ransomware, destabilising software placed on systems that cybercriminals threaten to deploy unless they are paid for the keys to unlocking it. Malware acts like a vandal or spy in ERP systems – once entered it destroys computers and/or steals data. And distributed denial of service (DDoS) attacks systems to shut down by flooding them with so much unwanted information that they are unable to work properly.
The need for the deployment of ERP security measures, therefore, is paramount. There’s no better time to do that than when new finance processes are being onboarded; getting security right at the start will reduce the chances of things going wrong later.
Vendors often build some level of ERP security into their systems, but they are rarely enough to properly protect all data. Additionally, a few companies have built third-party ERP security packages. While they may be effective, they also can be expensive.
Fortunately, there are several relatively easy steps an organisation’s IT department before can take first to secure their ERP systems.
What is ERP security and why is it important?
ERP security is the protection of an organisation’s data and processes from external intrusions and internal abuse. The integrated nature of ERP systems is what makes them so effective – but it is also their Achilles heel. If breached, hackers can access all the vital data and controls that make an organisation tick.
Common ERP Security Issues
Systems are not updated or monitored
Failure to implement patches to software and to alert IT departments of system failures can leave organisations vulnerable to attack. If hackers can identify those gaps, they can exploit them to enter an organisation’s ERP and plant rogue software.
There are too few ERP security specialists
A lack of technical expertise means few employees within an organisation will understand where vulnerabilities lie. That will limit the ability to respond to errors. It will also lower the likelihood of critical security information and protocols being shared to the necessary people.
Weak authentication measures
The security oversights that are common among personal digital assets – easy-to-copy passwords, single-factor authentication, among them – are also prevalent in the corporate world. Weak authentication is a leading cause of ERP security breaches. This is all the more frustrating because these are probably the easiest vulnerabilities to solve.
Less easy to overcome are the unlocked doors of open network sharing that is common in older systems. These can be open invitations to modern-day hackers.
ERP security best practices to avoid and beat issues
Stay up to date
- It’s critical that ERP systems are regularly updated with the latest software patches. As hackers change their tactics and deploy more sophisticated techniques to intrude into companies’ systems, so ERP developers produce stronger defences. Without them, organisations leave themselves vulnerable.
- It’s also important to monitor systems for failures and signs of infiltration. Hackers necessarily work under a cloak of secrecy and their attacks may not be immediately obvious. By constantly fire-watching for the signs of intrusions, attacks and their impacts might be averted.
- All employees can be instructed in the rudiments of such surveys as part of a broad strategy of failure reporting, and third-party assessments should be encouraged.
Know your enemy
- Prevention is better than cure but in order to stop attacks before they happen it’s essential that an organisation knows where its weak spots are. A deep working knowledge of the ERP system is essential in this regard.
- Staff who have a holistic understanding of the system and how it works will also have a better understanding of how to keep it secure. They can identify vulnerabilities and put measures in place to strengthen them.
- That can be tied in with a monitoring programme, as mentioned above.
- These shortcomings could be addressed in the longer-term with the implementation of security-focused training programmes to ensure there is a constant pool of capable staff ready to step in during a breach.
Lock your doors
- It should go without saying that system access passwords should be made as complex as possible to prevent replication by unauthorised agents. At the very least, multi-factor authentication (MFA) should be adopted. It’s hard to believe, but many companies don’t: according to a recent KnowBe4 survey more than a third of large companies and two thirds of smaller firms don’t use MFA. Users should also be encouraged to change their passwords as often as practicable.
- From a governance point of view, organisations would be wise to strictly monitor who is given access to the system – the more people enter the system, the more exposed it becomes.