Enterprise resource planning (ERP) software is highly valuable to companies because it acts as a centralized location to store, access, and manipulate business data. Sometimes, the data that is stored is highly sensitive or contains protected consumer information, like financial or personal data. This confidential information is exactly what hackers break into systems to get.
In 2018 a report was released by Digital Shadows, a digital risk management firm, and Onapsis, an ERP cybersecurity and compliance firm, that detailed findings about attacks on business systems around the world. They identified thousands of security vulnerabilities in ERP software from big companies like Oracle and SAP. The number of vulnerabilities becomes even more worrisome when combined with the fact that the report also found a 160 percent increase in “the activity and interest in ERP-specific vulnerabilities” in just one year.
Vulnerability assessment: Who is most at risk?
There’s a lot of data in a world where everything from toasters to mailboxes is “smart.” Not all data is of equal value, either. Software login passwords are more sensitive and valuable than whatever data a smart toaster is logging.
Companies that specialize in healthcare have some of the most valuable data to attackers. Reuters claims that “Your medical information is worth 10 times more than your credit card number on the black market.” This is because hackers can use health information to file false claims to insurance companies and purchase drugs and medical equipment for resale on the black market.
Financial companies are also extremely vulnerable to attacks and security threats. If hackers gain access to the personally identifiable information (PII) that most banks keep about their customers, such as social security numbers (SSN), they can easily use it to steal identities. Additionally, attackers might try to gain access to customers’ bank accounts and credit cards.
A 2018 report by the Ponemon Institute about the state of cybersecurity in small & medium size businesses found that 67 percent of the companies they surveyed experienced a cyber attack in the past year. On average, those companies spent $1.43 million on the aftermath of cyberattacks, which is 33 percent higher than the previous year.
This is why it’s more important than ever to make security and cyber threat intelligence top priorities for your ERP.
What causes ERP systems to be vulnerable?
The most common ERP mistakes come from human error, such as poor planning and using out-of-the-box solutions without considering your specific needs. ERP systems also have inherent challenges.
The systems are complex. Large systems, particularly out-of-the-box enterprise-grade ones, tend to be extremely complicated. As these systems are built to handle many use cases for thousands of customers, the code becomes enormously complex. Elaborate systems often create errors unforeseen by the developers.
There are many users. Because many data breaches are the result of human negligence, every new user increases the risk of attack. Employees tend to be careless with passwords, sometimes choosing overly simple ones or storing them out in the open. Cybercriminals can even trick people into telling them their credentials through the use of phishing or banking trojans.
Lack of a security champion. If no one is driving security as a software requirement, then it is unlikely to be given the proper attention. Security champions are people who will learn about ERP security, identify vulnerabilities, and stay up-to-date on the best practices for preventing cyber attacks. Without someone leading the effort (like a chief information security officer or CISO), security flaws are bound to go unnoticed.
Fortunately, there are simple steps that you can follow to safeguard your business against cyber attacks.
ERP security checklist
▢ Update software with recent security patches
It’s way too easy to ignore notifications that tell you to update your software. Unfortunately, this creates a huge vulnerability that hackers love to take advantage of. Software updates are important because they often include critical security patches that are necessary to keep your systems safe. Patching is generally the result of providers discovering security flaws through audits or breaches. Keeping up-to-date is one of the easiest ways to keep the cyber attackers at bay.
Don’t forget that firewalls, antivirus, and anti-malware software should be installed and kept updated as well.
▢ Control access to your ERP using permission levels
Your ERP application should allow you to give different users varying levels of access to data and sensitive information in your program. Be sure that only the users who need the data—and are certified to access it—are able to get it.
This is especially important for healthcare-related systems. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) comprises “national standards for the protection of certain health information.” A violation of HIPAA means you are breaking the law.
▢ Establish and enforce password policies
It’s important to establish a clear password policy and require employees to follow it. This should include rules like:
- Do not share your password with anyone.
- Do not write your password down anywhere.
- Do not use a simple or easy-to-guess password.
- Only use passwords once.
- Only use passwords with 15+ characters, at least two numbers, and one special symbol.
- Change your password every three months.
▢ Conduct regular security audits
While it is challenging to test systems for vulnerabilities and impossible to detect them all, it’s still important to do regular audits. Once you have selected a security champion (or a team of security champions), have them periodically check the system. Unfortunately, there are not a lot of automated tools to complete ERP security testing yet due to the complex nature of the software, so manual testing must be done.
▢ Enforce encryption for remote and onsite workers
Employees that work from home or anywhere on a network that could be vulnerable may open up your system to attacks. Be sure to require encryption and a VPN for remote workers.
How does custom software help?
Large ERP solutions that are built for countless customers who make complicated customizations present enormous security flaws. Fortunately, there are other options.
Custom software is much easier to keep secure because it is built with only one customer in mind. This keeps the code far less complex than out-of-the-box software.
Additionally, custom software can be created to meet your business processes and specific security needs. For instance, if your company specializes in healthcare then HIPAA compliance can be a key deliverable.
If you’re interested in hearing more about how Zibtek prioritizes security in every project, reach out for a quick chat or free consultation.