Today’s powerful ERP systems are at the center of a company. That makes them the perfect, high-value target for cyber crime.
Likely threats and security risks to ERP are increasingly sophisticated and diverse. You owe it to your customers, employees, and investors to secure your ERP infrastructure by using the best strategies, expertise, and technical tools available. In this eBook, we consider ERP security risks and effective, practical mitigation approaches.
ERP: AN ATTRACTIVE TARGET FOR DIGITAL ATTACK
Today’s powerful ERP systems help companies run business processes across their operations – manufacturing, supply chain management, sales, marketing, finance, and back-office business management. As systems of record, they are a repository of an organization’s data available in planning and decision-making, and provide the operational standard for processes.
In more recent years, as the conventional separation between ERP and customer relationship management (CRM) systems has largely disappeared in the cloud, ERP has also become a system of engagement, a key element in enabling a high-quality customer experience. In addition, ERP often serves as the foundation for exchanges and collaborations among teams and partnering companies involved in product development, marketing and sales campaigns, or mergers and acquisitions. In many companies, that means more data flowing through ERP, and more people who interact with ERP functions and data or benefit from the integrations of ERP solutions with other business systems.
Opening ERP to greater numbers of users and broadening its functional scope brings more security risks and greater vulnerability to business-critical software and data. Some integrations – for example, with ecommerce software – may further increase the vulnerability of ERP to digital malfeasance.
Unfortunately, ERP security is often not a prime considerationwhen companies evaluate and select ERP solutions and providers, and when they implement an ERP system. Typically, goals for ERP include managing growth, operating more efficiently, reducing costs, gaining greater agility, or becoming more competitive and innovative in services and products. Security may only come up as an afterthought. CIOs and ERP managers likely understand potential security risks, but may not hold enough sway to secure upfront planning or budgeting when other priorities promise desirable outcomes. While individuals may in many companies be accountable for compliance and physical security, it is not always clear who is responsible for the security of digital assets.
What is the likelihood that your organization will be compromised by a successful cyberattack in 12 months?
Extremely likely
Moderately likely
Slightly likely
Very likely
Not at all likely
7%
31%
32%
16%
14%
% predict increased cyberattacks.
*Unless otherwise credited, statistics used in the infographics in this whitepaper come from the 2017 Cybersecurity Trends Report published by Crow Research Partners in collaboration with the Information Security Community on LinkedIn. You can download a copy of the report at go.linomafiles.com/cybersecurity-trends-report-2017.
Bad actors of many shades
What activates the damage potential of ERP security risks and causes real harm is always people. Some of them you know: employees and contractors working within the organization. Others are outsiders. If your company owns intellectual property that a competitor could profit from, consider it at risk. That may include product designs, patents, formulas and compositions used in process manufacturing, prototype test results, product roadmaps, software code, and much more. If your customer data includes details that pinpoint people’s identities and reveal their financial information – that is information that can be resold or used by unauthorized parties. If your company is publicly traded, somebody might be interested in the internal data about stocks and business performance, because they could have a bearing on the price of stock. Even the details of your lean manufacturing process or agreements with suppliers may be of value to another organization.
Smart and efficient intruders
Simple data theft is not the only external risk to your ERP system. An intruder with access to a company’s digital infrastructure could manipulate data and documents. For example, the Sikich security and compliance practice is aware of security breaches where intruders changed or attempted to change financial, production, or new-product information in the ERP system in an effort to make a company look weak. Those actions could help another organization acquire a company at a lower valuation. They could also jeopardize a company’s competitive advantage. Sometimes, competitors interested in finding shortcomings in another company’s compliance with regulatory mandates and industry quality standards may try to either locate or create data and records that might highlight compliance gaps or shortcuts. These could then be exploited to bring negative attention to a business or alienate its customers.
Tools for gaining unauthorized access to an organization’s data and ERP system from the outside are keeping pace with the vulnerabilities in ERP solutions and the company infrastructures on which they reside. By means of automation, the scanning of systems to highlight potential security flaws and entry points can be rapid and efficient, enabling criminals to do greater damage with less effort.
Broad range of digital malfeasance
A report from a few years ago described ERP security risks in the oil and gas industry, where some of the most complex industrial processes could be attacked and manipulated by sophisticated intruders who might have far more in mind than simply stealing confidential data. Since then, we have observed this kind of attack periodically. Experts demonstrated how easy it would be for somebody to falsify information in companies’ inventories and production reports, thereby tricking decision-makers across the value chain to act based on bad data. Slowing and disrupting highly automated processes or creating the appearance of equipment and process breakdowns can be highly feasible, damaging interferences. These could prompt enterprises to divert people, resources, and budgets to investigations and repairs, and cause financial performance, stocks, and productivity to decline.
Top 5 barriers inhibiting an organization from defending against cyberthreats
Lack of Skilled Personnel
Budget
Management Support
45% of companies need better training to defend against cyberthreats collaboration
45% reported they had insufficient budget to invest in the tools that prevent and warn against awareness
31% lack awareness in management functions to address cybercrime.
32% lack the necessary collaboration frameworks
40% of companies have low employee awareness
Exploiting carelessness and misplaced trust
Within organizations, disgruntled employees and others wishing to sabotage the company are few compared to honest, well-meaning team members who can occasionally be careless. People expose a company to security risk, for instance, by using weak passwords, losing laptops and tablets, leaving data storage devices unattended in the open, accessing confidential information when their screens are in view of unauthorized parties, or sharing sensitive data in phone calls that can be overheard.
It is also not uncommon that outside parties practice social engineering. They try to influence employees to disclose company data or trick them into taking steps that could expose data and systems to risk. Even knowing better, people click on links in emails from unknown parties or pick up and insert a USB drive found in the parking lot.
When hopeful digital intruders invest more effort, for instance, by pretending to be help desk workers or contractors working on updating the ERP system, they can get very far in gathering passwords and gaining access to sensitive data. Downright bribing or otherwise coercing a person to steal data and records or cooperate with those intent on harming a company is rare, but it can happen in extremely competitive industries or when potential financial or other payoffs are high.
Where some industries are most vulnerable
Manufacturers have fallen behind in securing ERP
In Sikich’s experience, the ERP systems in many manufacturing and distribution companies are highly at risk for data breaches, intrusion, theft, and manipulation. Many manufacturers have not effectively safeguarded their digital assets as hackers and threats have become more sophisticated. Often, manufacturers’ awareness of security risks is low, and they tend to be locate them more in customer-facing, engineering, or finance systems than in production processes and systems. Some executives in smaller manufacturing companies erroneously believe that hackers and criminals are likely to aim for the largest companies in the industry. However, one report found that 43 percent of cyber attacks target smaller organizations, with manufacturing ERP systems particularly vulnerable.[1]
Even if ERP itself is relatively sound, integrations with ecommerce, collaboration, product lifecycle management (PLM), and other systems used in manufacturing businesses may present additional gaps and access opportunities to unauthorized parties. In some manufacturing companies, regulatory compliance has been the driver for securing data and systems. When it comes to such comprehensive regulations as the Defense Federal Acquisition Regulation Supplement (DFARS) in the U.S. or the General Data Protection Regulation (GDPR) for companies that do business in any country belonging to the European Union, letting compliance drive ERP security can be helpful, but cannot replace a comprehensive security strategy. And, when their compliance has gaps, manufacturers stand to greatly increase their risk exposure – both in terms of penalties from regulators and from people looking to penetrate their systems.
Unpatched software accounts for about 90% of cybercrime
90%
Companies miss as much as 40% of the threats aimed at their systems
40%
Increased digital risks for distributors
In distribution companies, ERP has become more vulnerable in recent years as employees, trading partners, and customers access ERP data and capabilities from more numerous and varied devices than ever before. Leading ERP vendors and their ISV communities offer mobile, cloud-based ERP to enable anywhere, anytime productivity, finding enthusiastic uptake. Security can become a minor concern in the rush toward responsiveness and efficiency, also because the basics of securing the ERP infrastructure in the cloud are often well handled by the providers.
Distributors are offering more potentially vulnerable online portals and collaboration resources to their customers and trading partners. Many self-service capabilities interact with the ERP system to give users information about orders, shipping status, or product details. Sometimes, provisioning grants a higher level of access than is necessary, for example, when collaborations rely on warehouse and shipping data from the ERP system and involve people from inside and outside of a company. We also see that temporary authorizations and access privileges are not always revoked when they are no longer required, but linger on, presenting a security risk.
Don’t scramble to gather a strategy, build one now
Threats are increasing in frequency and speed. Serious disruption to your ERP system could cost your company dollars and time. This isn’t some hypothetical, this has happened and it will continue to happen until companies realize that securing your ERP system may be the best thing you can do for your business.
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.
About the Author
Sikich
Sikich is a global company specializing in technology-enabled professional services. With more than 1,900 employees, Sikich draws on a diverse portfolio of technology solutions to deliver transformative digital strategies and is comprised of one of the largest CPA firms in the United States. From corporations and not-for-profits to state and local governments and federal agencies, Sikich clients utilize a broad spectrum of services* and products to help them improve performance and achieve long-term, strategic goals.
*Securities offered through Sikich Corporate Finance LLC, member FINRA/SIPC. Investment advisory services offered through Sikich Financial, an SEC Registered Investment Advisor.
Sign up for Insights
Join 14,000+ Business executives and decision makers.
Latest Insights
Dynamics 365
5 Tips to Minimize ERP Implementation Disruption
October 9, 2024
Dynamics 365
5 Tips to Minimize ERP Implementation Disruption
October 9, 2024
ERP implementation and disruption go hand in hand.
It’s unavoidable.
An ERP touches every part of your business.
Most executives understan...
Microsoft Teams has become an essential tool in remote and hybrid work environments, offering communication and collaboration across many companies a...
Manufacturers’ Path to the Cloud: Where Do They Stand?...
October 3, 2024
Manufacturing
Manufacturers’ Path to the Cloud: Where Do They Stand?...
October 3, 2024
To cloud or not to cloud? For manufacturers considering integrating new technology, the cloud is an attractive option, particularly for greater secur...
Innovate the Insurance Customer Experience and Competitively...
October 2, 2024
AI
Innovate the Insurance Customer Experience and Competitively...
October 2, 2024
Generative AI capabilities and AI-infused automations in Salesforce allow insurance companies to empower every employee to make a difference for cust...
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.