Hackers Are Targeting Your ERP Security—Here’s What You Can Do About It

By: Zach Hale on October 2, 2018

Enterprise resource planning (ERP) software isn’t just attractive to cybercriminals—it’s the crown jewel. Since an ERP integrates many disparate systems, a hacker can gain access to the most critical data from across a business’s various departments: company financials, manufacturing blueprints, private customer information etc.

The U.S. Department of Homeland Security recently issued a warning to businesses that hackers are specifically targeting widely-used legacy ERPs, citing a study by cybersecurity guardians Onapsis and Digital Shadows, titled “ERP Applications Under Fire: How Cyberattackers Target the Crown Jewels.”

The study details the specific ways in which bad actors exploit vulnerabilities in ERP software.

Why was the government compelled to issue such a warning? Simply put, many businesses still struggle to prioritize security and safeguard against the most relevant threats to their ERPs.

It’s an alarming situation for businesses of all sizes. But if businesses reinforce internet-facing ERP data and insecure integrations, while performing regular security updates and improving password hygiene, they’ll significantly reduce their vulnerability to would-be hackers.

Here are the approaches we’ll cover:


Restrict System Access to Internet-Facing ERPs

Strengthen Insecure Integrations

Install Software Updates As Soon As Possible

Exercise Healthy Password Hygiene

Stay Current on Known ERP Security Issues

Restrict System Access to Internet-Facing ERPs

It’s 2018, which means most new ERP applications are now internet-facing. This is especially relevant when talking about cloud-based ERPs. Having a cloud-based ERP can offer numerous benefits to businesses, but they should shield web-accessible ERP data from being compromised at all costs.

The Onapsis and Digital Shadows study found thousands of insecure ERP deployments with technical components exposed for all of the hacking world to see. Using a process known in the hacking community as Google Dorks (a fancy way of manipulating search engines to find hidden information on a website), researchers pinpointed these internet-facing ERP applications with relative ease.

Google-Dork-query-example

Example of a Google Dork query (Source)

Businesses can identify their own ERP vulnerabilities by executing these queries, which in turn will allow them to patch the individual breakage points.

But the most reliable way to combat these leaks is to restrict system access to users who access the network behind a firewall or a company VPN connection. These are essential security tools that every business should employ, but are not given adequate consideration in the early stages of ERP deployment.

Strengthen Insecure Integrations

ERP software’s defining characteristic is its ability to integrate numerous platforms into a single, unified system. With the rise of the postmodern approach to ERP deployment, the security of these integrations becomes even more critical.

The report recommends routinely mapping interfaces and APIs between ERP applications, so connections remain secure as businesses update and modify the software to their liking.

This can include links between systems—including pre-production, development and quality assurance—that serve as a pivot point between various stages of the production process. The information being transmitted between these systems can be easily susceptible to mishandling.

It also suggests regular assessment of existing configurations and their suitability for encryption, which can prevent would-be hackers from deciphering the data should they ever seize control of it.

Install Software Updates As Soon As Possible

No one knows security vulnerabilities better than the software provider itself. Once a vendor identifies a threat, they address it in the form of a security patch or software update. These are arguably the most important tools for safeguarding ERP data from those who seek to exploit it.

But not too long ago, updates to ERP software were relatively infrequent, with providers sometimes going more than a year without a full-fledged security upgrade. ERPs suffer from a complex system architecture, numerous customizations and a limited capacity for downtime.

Impediments like these contribute to ERP’s reputation for being difficult to update—and many businesses, either knowingly or out of ignorance, leave their systems susceptible to attacks by simply not bothering.

In cloud-based ERP systems, however, vendors automatically push through these security updates, offering more timely protection against the latest known vulnerabilities. It’s one of the greatest advantages of cloud-based ERP software, and a big reason why cloud adoption is increasing so rapidly.

Exercise Healthy Password Hygiene

A strong password is one of the best defenses against unauthorized access. This might seem obvious, but the study found that cyber attacks frequently occur because of poor password hygiene. One of the most egregious, and unfortunately common, examples of poor password hygiene is using system default passwords that are easy for hackers to guess.

But healthy password practices need to be adopted by an entire organization: a Software Advice survey found that only 56 percent of employees consider their passwords “extremely secure” or “very secure.”

Employee Assessment of Workplace Password Security

password-security

Extrapolating from this survey, nearly half of all ERP applications could be susceptible to password theft—a number even more remarkable when you consider that this is the easiest and most logical ERP security precaution.

If the majority of your users are part of the 44 percent whose password practices are insecure, be sure to require they follow these password management best practices:

  • Use a combination of letters (capitalized and lowercase), numbers and symbols

  • Update passwords regularly

  • Create a unique password for every application

  • Implement two-factor authentication

  • Utilize password management software to generate and store passwords

Stay Current on Known ERP Security Issues

Given how rapidly cybersecurity threats can evolve, staying in the know is crucial. Here’s how to stay informed on all things related to ERP security:

  • Talk to your ERP vendor about any known security issues or vulnerabilities specific to their software.

  • Allocate in-house resources to constantly monitor for potential threats and breakage points within your existing configuration, or consider hiring a dedicated team of ERP security experts and consultants to do the heavy lifting.

  • Monitor industry developments through ERP-focused news outlets and research reports. For starters, you can bookmark our resources page and read this article on ERP security threats.

  • Give us a call at (844) 686-5616. Our software advisors are available to offer their expertise and answer your most pressing security questions in a free, no-obligation 15-minute consultation.