5 ERP Security Threats You Can Stop Right Now

By: Zach Hale on August 8, 2018

In late July, the U.S. Department of Homeland Security (DHS) issued a warning to businesses: Hackers are targeting your ERP systems. This isn’t a new revelation, however; it’s the new normal in an era of increased cyberattacks, malware issues and security threats, a time when improper data management can devastate your company.

Thankfully, business owners have taken note. A recent Gartner study found that:

  • Forty-nine percent of businesses polled named security concerns a top challenge when planning investment in new technology.

  • Sixty-nine percent said data and information security is critical to their business.

Nowhere are these concerns more pertinent than with ERP software, which stores everything from financial and accounting data to the most sensitive customer information. Small and midsize businesses, which often lack the resources of larger enterprise corporations, are particularly at risk.

But by taking the following five precautions, small and midsize businesses (SMBs) can avoid the pitfalls of on-premise ERP security threats and preserve the level of trust, customer loyalty and revenue required to run a secure and successful business.

Here’s what we’ll cover:

1. Software Vulnerabilities: Keep Software Up-to-Date

2. Data Risk: Limit the Use of External Applications

3. Implementation Gaps: Double- and Triple-Check Your System Configurations

4. Human Error: Vet and Train Those With Access

5. Law-Breaking: Ensure Compliance With Regulatory Standards

Next Steps

null  1. Software Vulnerabilities: Keep Software Up-to-Date

Not updating your software is like not changing the oil in your car; you might be OK in the short term, but it will catch up to you eventually.

Hackers are always coming up with new ways to identify and attack vulnerabilities in a given piece of software. It’s a constantly evolving threat, and almost every new update at least in part addresses any known vulnerabilities.

Just ask FedEx, Russia’s Interior Ministry or Britain’s public health system. All of the above were devastated by a massive global cyberattack in 2017. The attack exploited susceptibilities in software managed by Microsoft—which, it turns out, had issued a patch two months prior to address the exact vulnerability the hackers exploited.

 SOLUTION:  Whenever your ERP platform releases a new update, install it as soon as possible. Every minute you go without updating leaves your business’s critical information exposed and at risk of being attacked. Not only is it the single most effective way to counter cybersecurity threats—it’s also one of the easiest.

null  2. Data Risk: Limit the Use of External Applications

If your ERP system doesn’t provide all the functionality needed to access, analyze and report on your critical business information, you’ll need to integrate it with external applications. But after you start using external applications, your data is at risk.

The more you spread out your data among non-ERP software, the harder it is to manage it, keep track of it, back it up and defend it from malicious threats.

For example, an SMB managing the same data in both an ERP and Microsoft Excel not only runs the risk of having discrepancies between the two systems. By storing the data in multiple locations, you’ll require twice the resources to protect it—making it twice as vulnerable.

 SOLUTION:  The best practice is to house all relevant data within an on-premise ERP system with integrated applications. If you can’t do this, consider upgrading to a new ERP system that has the functionality you need. And if this isn’t viable, be sure to store all your data on an in-house server and perform regular backups. It won’t shield it from security breaches, but at least you’ll retain your data in the event of a cyberattack.

null  3. Implementation Gaps: Double- and Triple-Check Your System Configurations

The ERP selection and implementation process can be difficult and time-consuming, but carelessness and a lack of preparedness can have devastating effects in the long run.

More than any type of software, the security of ERP systems is largely dependent on the configuration of your platform. Haphazard customizations, improper credentials, open ports—any number of gaps remaining from implementation could potentially put your business at risk.

In fact, the Digital Shadows and Onapsis research cited in the DHS warning mentioned above identified hundreds of exposed ERP configuration files, which bad actors can—and do—leverage when planning future attacks.

 SOLUTION:  You can never be too thorough when integrating your ERP software into your day-to-day business operations, and there are myriad ways in which an ERP implementation can fail. That’s why it’s critical that your business takes its time, solicits the help of your IT team and does everything in its power to tighten all the security screws at all stages of integration; your data will be thankful.

null  4. Human Error: Vet and Train Those With Access

Sometimes the culprit of an attack isn’t external—it’s from within.

A 2016 IBM report found that up to 60 percent of cyberattacks result from the actions of someone within the business itself, often unwittingly.

Regardless of whether their intent is malicious, employees within an organization can jeopardize sensitive business and consumer data if not thoroughly vetted. Those with unfettered access to system processes have the ability to alter software functionality, making proper safeguarding of ERP security access all the more critical.

 SOLUTION:  The single most effective way to combat this issue is to authorize only the most trusted individuals to carry out vital ERP system processes. It’s also imperative to provide an adequate amount of training to those operating the software, even at the lowest level.

And once access is granted, maintain a comprehensive log of changes made, and the users who made them, so that you have all the information necessary if an audit is needed.

null  5. Law-Breaking: Ensure Compliance With Regulatory Standards

Whether you’re storing customer credit card information or confidential health data, a variety of government-mandated regulations exist to protect sensitive consumer information. Privacy laws are especially commonplace in Europe, where GDPR recently went into effect, but in today’s global internet marketplace, they affect American companies all the same.

Those that don’t adhere to these standards will pay a steep price—not just in reputational damage, but monetary damage as well.

In 2016, regulators hit British telecommunications company Vodafone with seven-figure fines after misappropriating user data. In the U.S., look no further than Facebook’s recent misdeeds to see how privacy breaches can devastate a company’s reputation.

 SOLUTION:  First and foremost, always pay close attention to and abide by your industry-specific requirements. Credit card numbers and social security data should always be heavily encrypted, and other common requirements include firewalls, foolproof passwords and other back-end precautionary measures.

If your ERP software doesn’t have these compliance standards built in, it might be time to consider upgrading to one that does. Our comprehensive list of ERP software vendors is a good place to start.

Next Steps

The solutions outlined above should go a long way in protecting your valuable ERP data from unwanted breaches, but cyberattacks are a constantly evolving threat. It’s therefore critical that, in addition to our recommendations, you:

  • Ask your ERP vendor if there are security issues or vulnerabilities specific to their software that you should be aware .

  • Remain informed of what’s going on in the world of ERP and cybersecurity (our Resources page is a great way to stay in the know).

  • Call one of our knowledgable software advisors, who are ready and willing to answer all of your questions. Give them a ring at (844) 686-5616.