Cyber attack on smaller firms, particularly manufacturers, is on the rise. A recent security report by Symantec found that small firms now make up 43 percent of all cyber attacks, and manufacturers are some of the hardest hit.
ERP systems can make a particularly tempting target because they house some of a company’s most important business data. ERP systems also serve as a corporate data hub, connecting with other systems, customers, suppliers, mobile workers and machines on the shop floor.
“As the system of record for a business, ERP data is mission critical, as well as highly confidential intellectual property”, maker of a cloud-based ERP system for manufacturers. “Protecting the system, in an era where connectivity and agility are vital components of ERP, is increasingly complex and dynamic.”
That’s why it is important that businesses, whether large or small, pay particular attention to their ERP security.
“Our operating attitude is that it isn’t if an attack will happen, it is when,” says Weeks. “So it is important to know you can verify if you are vulnerable and be agile enough to quickly resolve the issue.”
With that in mind, here are six of the largest security threats that face your ERP system.
Not applying updates and patches immediately is, of course, a security issue, but ERP systems are at particular risk because complexity slows down both discovery and application of patches. The sad fact is that too many ERP systems go unpatched.
“Due to their complex nature, they are patched less frequently by the developers and the users, leading to longer windows of opportunity for attackers,”.
He says businesses can undertake this issue by ensuring that they are deploying patches as soon as they are available from the vendor, or by moving to a hosted version of the system since the vendor will patch and secure the backend in that case.
A second security risk is rudely setting up and configuring your ERP system. Many times, businesses open the door for cyber attack by setting up their system too casually and without security in mind.
“Lack of awareness that ERPs even recently implemented ones--have security vulnerabilities out-of-the-box leaves companies exposed to both internal and external threats,”, risk advisory services leader for audit and consulting firm, RSM US.
These vulnerabilities from poor configuration can include open ports, access parameter credentials that are unlocked or issues that arise from custom-code vulnerabilities baked into a system, she notes.
ERP is not often sexy. Nor is it always overflowing with the latest technology and methods because the lifespan of these systems is longer than with most other software. ERP is a slow-moving beast, which makes it a target for web-based attacks.
“SQL injection and web-based attacks (XSS, XSRF) continue to be popular against ERP systems because they usually implement older versions of web frameworks, leaving them vulnerable to these common attack types,”
“Enable system logging of the ERP application to perform exposure or look-back testing where unauthorized access is found,”.
Who can see and edit data within the system is an important component of good ERP security. Because these systems hold most or all critical business data, failure to correctly manage access is a lingering security threat that companies should always be focused on.
“Regularly reviewing the rights and permissions granted to employees is critical to ensuring that data is handled properly and only available to those who need it,”
The principle of least privilege, where employees only get access if they absolutely need it, should be the rule of thumb.
Compromised data is bad. Security breaches that shut down operations are arguably even worse. Yet, that is what cyber criminals can do if they gain access to your ERP system.
Researchers at ERPScan, for instance, discovered vulnerabilities in components of SAP and Oracle ERP systems that could be chained together to effectively disrupt oil and gas companies that relied on these systems.
Complex exploitation of ERP vulnerabilities poses a significant threat for any business that relies on its ERP system which would be just about every business. That’s why real-time monitoring is important.
“Adding mitigating security controls like network filtering (e.g., IPS) and monitoring for common attack types from internal and external traffic will help reduce the risk to these systems with minimal impact on its use,”
Last but not least, malicious insiders pose a noteworthy security risk; fraud is one of the most common security issues that affect ERP systems. This fraud can vary from trivial money embezzlement to changing employee hours. ERP systems tend to have relatively strong external security protection but weaker internal protection, creating a key vulnerability.
Segregation of duties (SoD) is one way to reduce this type of security threat. A SoD matrix ensures that no employee has the right to both create and approve a transaction.
“Incorrect ERP security role and profile designs can create security access combinations which can create unauthorized or back-door access to a system allowing for fraud or misuse of data,” notes Sklenka-Gordon at RSM.
She suggests purchasing and modifying governance, risk management, and compliance tool rules to detect powerful, sensitive or segregation of duties access issues.
Keep your ERP system safe. Watch for these six security risks, and take a proactive stance toward security in general. Cybercrime isn’t going away, and your ERP system represents one of your most important data stores. It deserves extra protection.