ERP security in a cybercrime world
Modern ERP security features are evolving and improving by the day. So why are businesses feeling more exposed than ever before? In part, it’s due to the rapid acceleration of digital and cloud technologies. By 2025, IDC predicts the number of IoT devices to rise to over 30 billion—and continue growing exponentially. Many of these devices are part of companies’ Industrial Internet of Things (IIoT) networks—and as such, they typically feed data into a central ERP system. These days, a modern cloud ERP is mission-critical to most businesses, helping to unify all business operations under a single system. Yet, this core feature may also be a weakness when it comes to cybersecurity, making it a one-stop portal into a lot of critical information.
Modern ERP and software security challenges
Traditional approaches to cybersecurity are no longer sufficient. The idea of building a secure perimeter around specific IT assets or databases, and then limiting and controlling access, is not effective in a cloud-connected ecosystem.
In a cloud ERP environment, organizations are recalibrating their approach to security as they share more responsibility with public cloud providers, and therefore focus less on the infrastructure and more on the application-side responsibilities they continue to own.
Ransomware and phishing attacks present a rapidly growing challenge. As ERPs are integrated across more departments, there are greater numbers of users with authorized access which—for hackers—means a richer hunting ground for phishing targets. Broader operational ERP integration also means a wider scope and range of valuable data contained within the ERP—which also raises its value as a hacking target. Additionally, with legacy ERP systems, attempts to expand ERP integration into new departments often requires bolt-ons and custom coding which can serve to increase the potential attack surface. In other words: there are more weak spots in more places. This is compounded by an increase in remote and gig workers who require external access points.
Cybercriminals can steal and extort, but they can also shut down essential systems and grind entire operations to a halt. Large organizations (particularly in sectors like finance and insurance, manufacturing, business services, and healthcare) have long been a target, however small and medium-sized business are increasingly being attacked—often due to their lack of security resources and expertise.
Every 11
s
A company was hit with ransomware in 2021
null
$1.85
M
Average cost of recovering from a ransomware attack
null
43
%
Of all data breaches involve small and medium businesses
null
What types of ERP data do cybercriminals target?
Hackers steal all kinds of data for all sorts of reasons. But for the most part, corporate cybercriminals are after data, including ERP data, that can most quickly be monetized, whether by extorting the victimized company itself or by swindling—or otherwise damaging—customers or individuals named in the stolen data. This may result in attempts to directly access funds through credit card breaches or money transfers. But as financial and ERP databases tend to be some of the most well secured, hackers typically wreak havoc by accessing other types of more accessible data.
An additional layer of risk for businesses comes not only in the damage wrought on their profits, reputation, and customers—but from the risk of class action lawsuits brought by those individuals named in the stolen data. In cases where this data includes people’s sensitive personal, legal, or medical information, the damage from litigation can be irreparable.
Top 7 ERP security issues and how to fix them
1. Outdated software
The best ERP providers are relentless in their battle against new and emerging security risks. Any time such a risk is identified, a security patch is developed and distributed to customers. In the past, some businesses have ignored or delayed implementation of these updates for long periods of time, leaving their systems vulnerable. This is especially true in the case of older ERPs that have undergone numerous customizations and workarounds, making patch implementation more problematic to manage.
Fix: Updates and security patches need to be implemented regularly—despite the risk of outages and downtime—because new threats emerge all the time. Applying patches and updates for on-premise ERP requires a risk-based approach to prioritize those with most security implications and while not an easy or non-disruptive process, is key in mitigating the risks. This is also true for those business who have a hybrid ERP landscape.
With cloud ERP software, patch distribution and implementation is a seamless process that goes on behind the scenes by the service provider without any disruption to the business. Furthermore, automated patch management that comes with a cloud ERP deployment can help to ensure adherence to ever-changing compliance and governance rules.
2. Authorization issues
In today’s business climate, HR, IT, and other team managers are pressured to get new users up and running as quickly as possible, which can lead to a lack of stringency when handing out ERP authorizations, or even deactivating them when employees leave the company. Legacy ERP systems are often at greater risk for this situation due to outdated authentication capabilities and lack of automated workflows supporting authorization.
Fix: Modern ERP systems are built with risk in mind including inherent provisioning and authentication capabilities and workflow that are sophisticated yet straightforward to use. Additionally, businesses can implement more broad end-to-end security using identity access governance tools.
3. Inadequate security training
Circulating a training memo with your official phishing policy is not the same as coordinating regular, interactive learning sessions with all your teams. In fact, in a recent survey, 78% percent of organizations who felt that their training methods were sufficient to eliminate phishing risks—were surprised to find that 31% of their employees failed a basic phishing test. Weak passwords, lack of phishing savvy, and poorly understood security protocols, mean that even your most loyal and diligent employees can be unwittingly putting your business at risk.
Fix: Many employees simply lack awareness about the ways in which their innocent actions can cause risk or damage. Don’t leave cybersecurity training to the wrong people, nor put it low on the agenda against other priorities. Work with a professional to perform a risk audit across your business to find out where the weakest security links may be hiding. Work with your team leaders to build regular training plans that address their particular needs. Implement automated schedules for each department, with testing dates, certificate renewals, and refresher training courses.
4. Shortage of experienced ERP security staff
For businesses running legacy ERP software, IT teams must fully understand their specific and myriad ERP security risks—and be able to run and implement best-in-class security practices. This includes identifying threats, conducting vulnerability scans and penetration testing, creating incident response plans, and integrating the latest cybersecurity monitoring tools into outdated systems. In today’s climate, not only is it difficult to find and retain skilled professionals, it’s also expensive and time-consuming to fit in the growing number of training sessions required to keep IT teams up to speed with the lightning pace of digital security developments.
Fix: Cloud ERP provides enormous relief for this growing concern. The heavy-duty security functions such as 24/7 monitoring and disaster recovery are all handled by the vendor—seamlessly, in the cloud. What’s more, the day-to-day and more time-consuming IT tasks such as patch management, testing, and upgrades—can also be automated in the cloud and take place without any perceptible interruption.
5. Failure to comply with security and governance standards
As ERP systems are integrated across more and more departments, the scope of vulnerable data grows increasingly diverse, including things like secure product information, medical records, or intellectual property. The more sensitive the data (financial, medical, or legal for example) the more likely it is to have its own unique security and storage protocols. Failure to adhere to—or be aware of—these protocols, can lead not only to potential breaches of that data, but also to penalties and even legal repercussions for non-compliance.
Fix: Today, the best ERPs—with modern databases—can facilitate the centralized automation and control of a range of compliance protocols for a wide variety of data types. This means that IT teams can work with subject specialists across the business to initially determine the correct security standards, and then automate systems and user dashboards to ensure that the correct protocols are adhered to going forward.
6. One-factor authentication
One-factor (a single password or passcode) is simply not enough. While these days, most businesses are aware of this fact, more than 40% of organizations still fail to use two-step authentication on all potential ERP entry points. In other words, it’s no point protecting your most obviously crucial data with two-factor (2FA) authentication if other connected things like IoT devices or departmental applications are left vulnerable with one-step passwords.
Fix: It’s essential for businesses of all sizes to immediately implement 2FA protocols (including security tokens or biometric scans) across all potential ERP entry points. This is a simple, low-cost fix that is extremely important.
7. Data export
Despite official protocols, users like to put things into spreadsheets or save them in other formats and data export risks remain a problem for businesses.
Fix: Companies can control this somewhat by blocking Excel downloads or tracking user actions within the database. But at the end of the day, the best way to protect against data export, is to limit the number of people who have access to vulnerable data. With a modern ERP, department heads can easily determine and set not only who gets to see what, but which elements of a data set they may access and view. And unlike legacy systems, cloud ERPs have integrated security features that can be automated to send notifications and prevent unauthorized commands, such as downloads or data exports.
ERP security: It’s all in the cloud
Visit the SAP Trust Center for more information on our global security approach.
Cyber ERP security best practices
Many of the issues and fixes that we have discussed relate to broader security strategies for optimizing your human and technological resources in a cybercrime world. The following are some additional best practice basics to help you get the most from the services and benefits associated with cloud ERP security functions and features:
- Ensure that service level agreements are in place for business continuity, disaster recovery, and uptime capabilities. Cloud-based tools can help to integrate these agreements in one place, across global operations, and automate updates.
- Perform hyperscaler, third-party audits. These independent third-party audits are essential to ensure cross-business compliance at all stages and to support things like Cybersecurity Maturity Model Certification (CMMC) and Zero Trust efforts.
- Encrypt all your data and focus on strengthening processes, protocols, and project management for all teams involved in ERP security practices. Particularly in areas of patch management, security configuration, vulnerability scanning, and threat management.
- Make the necessary consultancy investment in external, world-class cybersecurity experts to ensure that all your teams are well-versed in their roles and responsibilities in the areas of risk reduction.
- Ensure that 24/7 monitoring and proactive security management have been implemented across your business to improve incident responsiveness. This includes your ERP and any systems, devices, or IoT assets from which a hacker may gain access.
- Use a domain-based ERP testing approach to provide a consistent and replicable test process to address common actor vectors across the entire attack surface.
Next steps to better ERP security
Cybercrime affects us all and if businesses are to fight it, they must take a multi-pronged approach. Cloud ERP technologies are a great place to start—giving businesses a unified base from which to coordinate and automate a powerful and effective defense.
But in the end, your cybersecurity efforts begin and end with your people. Your team leaders and employees are part of the solution but they can’t be expected to figure it out on their own. A good first step on your ERP cybersecurity journey, is to build communication and training plans that involve interesting experts, hands-on learning, visual and practical lesson plans, and even some real-life examples of what can happen when it goes wrong. Specific training and certification measures are important, but it also works best to raise overall awareness and interest in the topic.
Digital security is now a major part of all of our lives, so why not make learning about cybersecurity an engaging and intriguing experience?