As more of the enterprise community turns to Enterprise Resource Planning software to manage daily activities, the specter of data breaches and other security risks has come into play.
ERP usually touches some of the most mission-critical data and services in the enterprise, making it a tempting target for wrongdoers. But there are ways to protect yourself now, and new tools are constantly entering the channel to help minimize the risks associated with ERP without sacrificing performance.
The first thing to do, however, is recognize that the threat is real. Over the summer, the United States Computer Emergency Readiness Team (US-CERT) released a report compiled by Digital Shadows Ltd. and Onapsis Inc. describing a marked increase in the exploitation of vulnerabilities within ERP systems. The warning covered the gamut of leading management tools, including product lifecycle, customer relationship and supply chain. A key issue is the patchwork of solutions, patches, updates and other releases that are often implemented incorrectly within a given data environment. This leads to gaps in the security footprint that hackers can exploit to distributed viruses, ransomware, and other forms of malicious code.
In an interview with ZDNet, Digital Shadow’s Mike Marriott described the combination of remote-code capabilities with an internet-facing ERP as the “Holy Grail” of targets. To date, some 17,000 SAP and Oracle applications connect to the internet, with users spanning commercial and governmental organizations across Europe and North America. And while hacking may once have been the purview of simple digital malcontents or computer whiz kids looking for a challenge, the real threats today are sophisticated technologists and state-sponsored organizations operating, sometimes in tandem, in the Dark Web and other criminal forums.
This may make some organizations think twice about launching ERP capabilities in the cloud, but the news is not all bad. While it is true that, as the Cloud Security Alliance recently reported, migrating to the cloud will require additional steps to ensure security, those steps are not necessarily all that burdensome. In fact, many cloud providers are well ahead of the curve, offering the ability to select the data center they wish to use, as well as providing a wealth of sign-in, user access, continuous monitoring and other tools. At the same time, the cloud provides advantages in backup, recovery and redundancy that can help you get back on your feet if you are attacked.
Regardless of where you host your ERP, however, there are several things you need to do now in order to protect yourself, says Zach Hale, content specialist for Gartner subsidiary Software Advice. First, be sure to update all software as soon as possible. Yes, as noted above, this can introduce vulnerabilities if done haphazardly, but done correctly, it ensures you are protected by the latest tools that counter ever-evolving threats. The same goes for overall system configuration, which can become less secure over time without the proper maintenance. As well, you should limit exposure to non-ERP applications. If you need additional capabilities, better to upgrade to a new platform than to link to third-party resources at random. And you should never overlook perhaps the most important security tool of all: your people. Proper training to spot phishing scams and to act quickly in case of a breach can go a long way toward stopping penetration or at least limiting the damage after the fact.
Despite these precautions, however, it is still better to plan for an eventual data breach than to chase the chimera of complete invulnerability. Only by implementing an ongoing security testing and maintenance program, and incorporating it as a regular operational function, will you stand a chance of protecting critical data and getting systems back online before it places an undue burden on users.
In this day and age, the most valuable commodity for any enterprise is reputation. Few users expect a perfectly secure environment, but there is little sympathy for organizations that allow themselves through negligence to be brought to their knees.
Arthur Cole writes about infrastructure for IT Business Edge. Cole has been covering the high-tech media and computing industries for more than 20 years, having served as editor of TV Technology, Video Technology News, Internet News and Multimedia Weekly. His contributions have appeared in Communications Today and Enterprise Networking Planet and as web content for numerous high-tech clients like TwinStrata and Carpathia. Follow Art on Twitter @acole602.