ERP ‒ the underestimated threat to your cyber security [Part 1]

ERP systems are increasingly becoming a technological hub. They collect and analyse data that is crucial to the company’s progress. But despite their huge importance, the issue of security for these solutions is scarcely even a consideration. Cyber security must play a central role in decision-making for ERP. What can happen when there is no protection, was demonstrated in a presentation at the Black Hat Europe conference at the end of the year 2015, when experts attacked the ERP applications of an oil company to manipulate the pipeline pressure. In this article, we will show you where the specific vulnerabilities are and what companies can do to brace themselves.

Risks in ERP systems

It’s the same issue with all software: the more complex it is, the more error-prone it is. ERP systems are no exception. On top of that, many companies have been using the same ERP system for decades. Companies forego software maintenance for financial reasons and so are often working with outdated technology that makes attacks easier. Another vulnerability lies in the growing levels of networking with other companies. E-commerce, in particular, requires interfaces within and outside the customer network that bridges the gap between the company and marketplaces such as Amazon and eBay. These interfaces are invariably critical points of attack. If the latest encryption technology is not in use here, the system has a serious vulnerability that offers the potential for data theft.

Many companies are committed to IT risk management and end-user security for a good reason, yet the issue that is often neglected is the distribution of access rights. What is needed are control mechanisms that only allow certain people to make changes to programs, processes and/or data. This is why ERP security is becoming an important building block in cyber security, but from our experience, far too few companies are aware of this. We believe that this is careless. It is important to firmly anchor this business-critical application within a sophisticated security concept.

Looking at ERP systems in the overall context of cyber security

When companies’ business processes are undergoing change towards digitalisation, mobility or the cloud, this cannot be done without IT and cyber security. The first step in the strategy should be to ensure the strategic direction of all business activities and the priorities and focus of business activities in order to ensure that efforts are being concentrated. Factors such as the company’s current position and capabilities must be taken into account. This involves assessing which services are to be provided internally and which ones need to be sourced from external service providers. The suppliers’ risk management also plays a crucial role here. This has already been explained in detail in a series of blogs on how to deal with this aspect. (here and here)

The ERP system as a critical component

Market cycles continue to become shorter ‒ this is no doubt true for your company as well. Business-critical decisions have to be made faster and faster. The magic word is real-time processes, in order to achieve that, you also have to make adaptations to your ERP landscape. That’s why trends in ERP systems are moving towards cloud-based operations. It only becomes clear how dependent users are on a cloud solution, once it is no longer available. However, failures in a company's core system often result in an immediate breakdown of all activities. Confidence in the reliability of a cloud solution or platform will be an even more important factor in deploying it in the future.

For a company, any disruption to its systems is critical. In the worst-case scenario, it can disrupt the entire business and result in major financial losses. This is why ERP system security is one of the most important challenges for companies. Everyone with responsibility for security, as well as management, must be aware of this.

As you see, the only way to minimise the risk of failure, a negative impact on system and data integrity or unintentional disclosure of trade secrets, is by using targeted security measures. Unfortunately, there is no such thing as the ultimate security tip. It is rather a combination of several measures. In addition to being aware of the vulnerabilities and tips on how to solve them, what is needed is to have ERP security firmly anchored within a thoroughly designed security concept. In our opinion, those people who try to make savings here are acting recklessly. In particular, ERP systems have increasingly become the focus of financial audits in recent years due to the increasing digitalisation and pervasions of information systems to support all business processes.

More and more, in addition to classical audit procedures, auditors are confronted with the task of confirming the reliability and integrity of the information systems that are ultimately used to produce financial statements. There are many auditing companies that can carry out complex audits and assessments to identify vulnerabilities in ERP systems such as SAP and to determine the measures to be taken.

Coming soon: SAP security ‒ security for standardised ERP software

In Switzerland, SAP provides the most common ERP solution for medium and large companies and offers a comprehensive range of solutions with a high level of integration capabilities. However, it is important to note that only a stable, accessible and secure SAP infrastructure (either on the premises or in the cloud) can guarantee that your SAP system landscape operates in a secure, efficient way.

Don’t miss the next article on ERP and SAP security! Sign up now for our blog updates:

Subscribe to blog updates now!

<< >>

Cyber Risks , IT Security

Michel Kühne
About the author / Michel Kühne

InfoGuard AG - Michel Kühne, Cyber Security Consultant

More articles from Michel Kühne

Related articles
How to build Cyber Supply Chain Risk Management
How to build Cyber Supply Chain Risk Management

In a previous article, we showed why many companies underestimate cyber supply chain risk management [...]
Cyber Security Blog

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media