It may not seem like a treasure trove of information that malicious hackers would find useful, but your enterprise resource planning (ERP) solution provides information that just about every brand of attacker would love to get his or her hands on.
The cyber-criminal may be lured by the financial, accounting, human resources, and e-commerce data stored in your system. Competitors and even state-sponsored actors have found information pertaining to intellectual property, manufacturing, sales and marketing, business processes, and other business intelligence of particular interest.
Knowing full well that your ERP system is a target is only step 1 in protecting your digital assets against attack. Step 2 is understanding the security issues you face, and step 3 is doing something about those issues. So, let’s examine some of the more common security problems that your ERP solution faces.
Attackers often look to exploit vulnerabilities in software. This means not only your ERP software but the server, all the software it uses, and your database. Software vendors release updates and patches to address known security vulnerabilities to help keep their customers’ systems more secure, but if you don’t install these updates, your systems remain vulnerable. Keeping systems up to date by thoroughly testing and applying critical security updates helps keep attackers at bay.
To get their work done, people need access to various areas of the ERP solution. Administrators often grant broader access to individuals or even groups than they need. Often, it’s easier simply to grant access than to take the steps to fine-tune restrictions for data that people don’t need to access.
The principle of least privilege is an easy paradigm to start with, but most systems administrators often find it is difficult to enforce. There may be times when someone needs increased permission for a short time—seasonal employees and (worst of all) ghost accounts left unattended.
Mitigating this threat comes from establishing solid access management policies and sticking to them. You can add an identity and access management solution that works with your ERP software and other business critical applications, as well.
With only single-factor authentication safeguarding your ERP solution, an attacker has the ability to access and exfiltrate data if he or she can compromise a user account easy enough with a simple phishing email or sniffing a sign-in over a public network. When you implement multifactor authentication, people must enter a user name and password but also an additional piece of information, such as a one-time code sent to their phone or email account. This extra step helps stop some of the common credential theft attacks that could be used against your ERP solution.
Your ERP solution is meant to make it easier for your employees to do their jobs, but if end users have trouble using the system because of lack of training, performance issues, or any other reason, they tend to rely on outside systems to do their jobs. A common example is analyzing data. When end users can’t get the reports they need, they may pull the data from the ERP solution and work with them in an application such as Microsoft Excel or Google Sheets.
Now those data exist outside the protected confines of your secured ERP environment.
Fixing this problem requires that you find out why people are relying on companion applications to do their work. If it’s a training issue, help them learn. If the ERP lacks capabilities, look for a module or customization that will help. If it’s a performance issue, get it fixed.
When a system houses as much data as your ERP solution does, it’s going to be a constant target for attackers. You don’t have to make things easier for them. Address security issues proactively, and train users properly on how to identify and report anything they find suspicious. By working to stay in front of cyber-criminals, you’re not only keeping your information safer but making yourself a less attractive target.