Likely threats and security risks to ERP are increasingly sophisticated and diverse. You owe it to your customers, employees, and investors to secure your ERP infrastructure by using the best strategies, expertise, and technical tools available. In this eBook, we consider ERP security risks and effective, practical mitigation approaches.
Today’s powerful ERP systems help companies run business processes across their operations – manufacturing, supply chain management, sales, marketing, finance, and back-office business management. As systems of record, they are a repository of an organization’s data available in planning and decision-making, and provide the operational standard for processes.
In more recent years, as the conventional separation between ERP and customer relationship management (CRM) systems has largely disappeared in the cloud, ERP has also become a system of engagement, a key element in enabling a high-quality customer experience. In addition, ERP often serves as the foundation for exchanges and collaborations among teams and partnering companies involved in product development, marketing and sales campaigns, or mergers and acquisitions. In many companies, that means more data flowing through ERP, and more people who interact with ERP functions and data or benefit from the integrations of ERP solutions with other business systems.
Opening ERP to greater numbers of users and broadening its functional scope brings more security risks and greater vulnerability to business-critical software and data. Some integrations – for example, with ecommerce software – may further increase the vulnerability of ERP to digital malfeasance.
Unfortunately, ERP security is often not a prime consideration when companies evaluate and select ERP solutions and providers, and when they implement an ERP system. Typically, goals for ERP include managing growth, operating more efficiently, reducing costs, gaining greater agility, or becoming more competitive and innovative in services and products. Security may only come up as an afterthought. CIOs and ERP managers likely understand potential security risks, but may not hold enough sway to secure upfront planning or budgeting when other priorities promise desirable outcomes. While individuals may in many companies be accountable for compliance and physical security, it is not always clear who is responsible for the security of digital assets.
What is the liklihood that your organization will be compromised by a successful cyberattack in 12 months?
*Unless otherwise credited, statistics used in the infographics in this whitepaper come from the 2017 Cybersecurity Trends Report published by Crow Research Partners in collaboration with the Information Security Community on LinkedIn. You can download a copy of the report at go.linomafiles.com/cybersecurity-trends-report-2017.
What activates the damage potential of ERP security risks and causes real harm is always people. Some of them you know: employees and contractors working within the organization. Others are outsiders. If your company owns intellectual property that a competitor could profit from, consider it at risk. That may include product designs, patents, formulas and compositions used in process manufacturing, prototype test results, product roadmaps, software code, and much more. If your customer data includes details that pinpoint people’s identities and reveal their financial information – that is information that can be resold or used by unauthorized parties. If your company is publicly traded, somebody might be interested in the internal data about stocks and business performance, because they could have a bearing on the price of stock. Even the details of your lean manufacturing process or agreements with suppliers may be of value to another organization.
Simple data theft is not the only external risk to your ERP system. An intruder with access to a company’s digital infrastructure could manipulate data and documents. For example, the Sikich security and compliance practice is aware of security breaches where intruders changed or attempted to change financial, production, or new-product information in the ERP system in an effort to make a company look weak. Those actions could help another organization acquire a company at a lower valuation. They could also jeopardize a company’s competitive advantage. Sometimes, competitors interested in finding shortcomings in another company’s compliance with regulatory mandates and industry quality standards may try to either locate or create data and records that might highlight compliance gaps or shortcuts. These could then be exploited to bring negative attention to a business or alienate its customers.
Tools for gaining unauthorized access to an organization’s data and ERP system from the outside are keeping pace with the vulnerabilities in ERP solutions and the company infrastructures on which they reside. By means of automation, the scanning of systems to highlight potential security flaws and entry points can be rapid and efficient, enabling criminals to do greater damage with less effort.
A report from a few years ago described ERP security risks in the oil and gas industry, where some of the most complex industrial processes could be attacked and manipulated by sophisticated intruders who might have far more in mind than simply stealing confidential data. Since then, we have observed this kind of attack periodically. Experts demonstrated how easy it would be for somebody to falsify information in companies’ inventories and production reports, thereby tricking decision-makers across the value chain to act based on bad data.
Slowing and disrupting highly automated processes or creating the appearance of equipment and process breakdowns can be highly feasible, damaging interferences. These could prompt enterprises to divert people, resources, and budgets to investigations and repairs, and cause financial performance, stocks, and productivity to decline.
Within organizations, disgruntled employees and others wishing to sabotage the company are few compared to honest, well-meaning team members who can occasionally be careless. People expose a company to security risk, for instance, by using weak passwords, losing laptops and tablets, leaving data storage devices unattended in the open, accessing confidential information when their screens are in view of unauthorized parties, or sharing sensitive data in phone calls that can be overheard.
It is also not uncommon that outside parties practice social engineering. They try to influence employees to disclose company data or trick them into taking steps that could expose data and systems to risk. Even knowing better, people click on links in emails from unknown parties or pick up and insert a USB drive found in the parking lot.
When hopeful digital intruders invest more effort, for instance, by pretending to be help desk workers or contractors working on updating the ERP system, they can get very far in gathering passwords and gaining access to sensitive data. Downright bribing or otherwise coercing a person to steal data and records or cooperate with those intent on harming a company is rare, but it can happen in extremely competitive industries or when potential financial or other payoffs are high.
In Sikich’s experience, the ERP systems in many manufacturing and distribution companies are highly at risk for data breaches, intrusion, theft, and manipulation. Many manufacturers have not effectively safeguarded their digital assets as hackers and threats have become more sophisticated. Often, manufacturers’ awareness of security risks is low, and they tend to be locate them more in customer-facing, engineering, or finance systems than in production processes and systems. Some executives in smaller manufacturing companies erroneously believe that hackers and criminals are likely to aim for the largest companies in the industry. However, one report found that 43 percent of cyber attacks target smaller organizations, with manufacturing ERP systems particularly vulnerable.
Even if ERP itself is relatively sound, integrations with ecommerce, collaboration, product lifecycle management (PLM), and other systems used in manufacturing businesses may present additional gaps and access opportunities to unauthorized parties. In some manufacturing companies, regulatory compliance has been the driver for securing data and systems. When it comes to such comprehensive regulations as the Defense Federal Acquisition Regulation Supplement (DFARS) in the U.S. or the General Data Protection Regulation (GDPR) for companies that do business in any country belonging to the European Union, letting compliance drive ERP security can be helpful, but cannot replace a comprehensive security strategy. And, when their compliance has gaps, manufacturers stand to greatly increase their risk exposure – both in terms of penalties from regulators and from people looking to penetrate their systems.
In distribution companies, ERP has become more vulnerable in recent years as employees, trading partners, and customers access ERP data and capabilities from more numerous and varied devices than ever before. Leading ERP vendors and their ISV communities offer mobile, cloud-based ERP to enable anywhere, anytime productivity, finding enthusiastic uptake. Security can become a minor concern in the rush toward responsiveness and efficiency, also because the basics of securing the ERP infrastructure in the cloud are often well handled by the providers.
Distributors are offering more potentially vulnerable online portals and collaboration resources to their customers and trading partners. Many self-service capabilities interact with the ERP system to give users information about orders, shipping status, or product details. Sometimes, provisioning grants a higher level of access than is necessary, for example, when collaborations rely on warehouse and shipping data from the ERP system and involve people from inside and outside of a company. We also see that temporary authorizations and access privileges are not always revoked when they are no longer required, but linger on, presenting a security risk.
Threats are increasing in frequency and speed. Serious disruption to your ERP system could cost your company dollars and time. This isn’t some hypothetical, this has happened and it will continue to happen until companies realize that securing your ERP system may be the best thing you can do for your business.