For something so important, you would think ERP systems would be more secure.
A report in February by Crowd Research Partners found that 89 percent of security industry observers surveyed said they thought that the number of attacks on ERP systems will increase this year. Highlighting the point, a month later SAP released a patch with one of the highest severity ratings possible for a critical vulnerability in its SAP HANA platform. The patch cleaned up a vulnerability that allowed full remote access to a company’s SAP HANA software without the need for security credentials.
Nonetheless, the report found that one in three respondents hasn’t taken any ERP security initiative yet.
“ERP systems serve as a corporate technology backbone, connecting people, organizations and processes into a single system of record,” says Weeks. “The data we manage is typically both sensitive and business-critical.”
Each organization should consider its own unique needs when managing ERP security, but what’s clear is that more should be done and many ERP systems are vulnerable to cyber attack. Here are seven keys for making sure your firm’s ERP system is not one of them.
“The biggest mistake businesses are making with ERP systems is not making security a priority,”.
One of the issues around ERP security today is that many firms don’t define their ERP security management. Security teams inside ERP-specific departments are primarily focused in segregation of duties and user management, while IT security teams mainly focus on the operating system and networking layer instead of the ERP application itself. This grey area between those two teams therefore leaves a critical gap.
A first step, therefore, is defining ERP security management that can and should look at ERP security in a holistic way that encompasses all potential threat vectors.
As the SAP HANA vulnerability shows, staying up to date on ERP patches is key for minimizing security holes. Yet, many firms are slow or incomplete in staying up to date.
Organizations should take patch management very seriously, and make sure they have a team in place to monitor and apply these patches for known ERP vulnerabilities
ERP system are highly customizable by definition, since there is no one-size-fits-all system any more than there is one way to conduct business. This opens the door for code that is more vulnerable, as custom ERP applications generally get less scrutiny.
“Usually custom applications are developed by third parties or internal developments. “Both may overlook vulnerabilities or even intentionally leave backdoors in the source code. That’s why reviewing the code is a must.”
Along with custom software that connects to your ERP system, also mind the interconnections among different applications.
“To automate business processes, different modules of an ERP system have to be interconnected,” “Moreover, in modern manufacturing enterprises, ERP is linked with shop floor facilities. Once attackers break into the weakest link, they can easily get access to connected systems and even to other organizations’ systems.”
One example of this vulnerability was when hackers breached U.S. Investigative Services in 2013 via third-party software that connected to the company’s SAP system.
A house with few doors and only one key is inherently more secure than one with many access points and a host of people who can enter. This is the same for ERP systems, so part of a good security posture is reducing access to each part of the system to only those who absolutely need it access.
“Define and develop dynamic policies and procedures for applications and access. “Understand roles and user requirements, and limit the rest.”
Think SoD for better ERP security. The Segregation of Duties (SoD) concept was introduced to prevent internal fraud. Simply put, this internal control measure ensures that at least two individuals are required to complete a task. That goes a long way toward limiting unauthorized access to an ERP system.
“From a technical point of view, every business role is associated with certain actions, which in turn are linked with particular transaction in an ERP system,” says Polyakov. “And the number of such roles may count hundreds if an enterprise has a diversified structure.”
Finally, stay alert and ever vigilant. Make sure you have someone always looking out for security vulnerabilities.
“Don’t assume someone else is watching security for you,” says Weeks. “Have security and network experts working on your behalf regardless of whether your ERP system is on-premise or in the cloud.”