Vitalii Gulenok/istock via Getty

Tip

What is ERP security and why is it critical?

An ERP system is vulnerable whether it's on premises or in the cloud, and supply chain attacks continue to increase. Learn why it's important to secure your company's ERP software.

An ERP system is a treasure chest filled with valuable data, and hackers and malicious insiders may be planning an attack right now. With the growing concern over supply chain attacks, IT and security teams need to understand ERP security issues in order to ensure ongoing resilience.

An ERP system is likely to contain both the company's intellectual property, as well as employee and customer personally identifiable information, and keeping this information safe is critical. It's not easy, but it is doable with some discipline and ongoing effort.

What makes ERP systems vulnerable?

ERP security requires understanding weak points in and around the ERP environment and then implementing the proper safeguards to minimize risks. Whether an ERP system is on premises or in the cloud, threats and vulnerabilities are always present. Allocating the proper resources for overseeing all the ERP components is critical.

The typical ERP environment is a soft target. Its components include user accounts, network hosts, web components, databases, thick clients and mobile apps. These complexities keep IT and security professionals constantly on their toes.

The computers and software associated with an ERP system are vulnerable to common security exploits, which can create serious challenges for a company if they are not addressed. Here are some common issues:

  • Missing software patches at the OS, application and database levels that can facilitate remote control, ransomware infections or DoS attacks.
  • System authentication mechanism flaws that can expose user credentials or unnecessarily permit unauthorized access.
  • SQL injection caused by a lack of input filtering.
  • Poor user session management or privilege escalation vulnerabilities that cause access control gaps and exposures.
  • Backup weaknesses that leave systems and information vulnerable to ransomware infections.
  • Poor visibility across the network that limits security incident response and management.

The size of the company or the industry doesn't matter -- these vulnerabilities affect all organizations.

Common reasons for ERP security incidents

Internal or external audit teams typically govern ERP systems. Security oversight sometimes stops there. As with any controls audit-type approach to information risk management, ERP security is often lacking in terms of technical vulnerability and penetration testing. This oversight can lead to the very security incidents that the core IT controls are trying to prevent. In addition, ERP systems are often not specifically included in the organization's overall incident response and business continuity plans.

The organization's top leaders should understand that ERP security is a mission-critical priority, not just an IT-centric function to delegate without oversight. Those responsible for ERP management should create metrics and make decisions about ERP security as part of a cross-functional committee that includes the IT, security, operations, finance and legal departments.

Why testing ERP security is important

IT and security teams have ongoing duties. As part of ERP security best practices, IT professionals must scrutinize ERP environments in terms of security technologies, such as logging, alerting, multifactor authentication, data loss prevention or cloud access security brokers. The same rule applies to ongoing security testing.

At a minimum, designated members of IT or security teams should run dedicated vulnerability scans using network vulnerability scanners and web vulnerability scanners. They also need to make sure penetration testing and manual analysis accompany automated scanning since the latter is not enough.

IT and security teams can also consider database vulnerability scans or a traditional network vulnerability scanner that has database scanning capabilities. Additionally, cloud security posture management tools -- the security review tools built into cloud environments -- and firewall configuration analysis tools can help ensure that only those with a business need can access the environment.

IT and security teams, or a qualified outside party, need to perform ERP security testing periodically and consistently. They should do it at least once per year, ideally in combination with ongoing vulnerability scanning. Those teams might not be able to oversee and test the ERP system at those levels if they're using a third-party cloud-based system. If so, the team should periodically review the System and Organization Controls 2, or SOC 2, audit report and ask to see a copy of the most recent vulnerability and penetration testing report. For the latter, an executive summary might be all the team can obtain, but that typically suffices.

Using common sense and consistent oversight are two critical -- and often overlooked -- core ERP security best practices. The last thing any company needs is to have its crown jewels exposed through a preventable weakness. IT and security teams must always think things through and make sure all their choices are defensible.

Kevin Beaver is an independent information security consultant, writer and professional speaker with Atlanta-based Principle Logic, LLC. With more than 30 years of experience in the industry, Beaver specializes in performing vulnerability and penetration tests, as well as virtual CISO consulting work.

Next Steps

Unpatched applications threaten SAP security

Dig Deeper on ERP administration and management