The ERP system is becoming more and more like a technological node. Because it collects and analyzes data that is indispensable for business progress. Despite this great importance, the security of such solutions hardly plays a role.
Cyber security is a central issue for company decision-makers. This is also shown by the current CISO study. According to this study, German companies see cyber attacks as the greatest risk for their own IT. 74 percent of the nearly 800 IT and IT security managers surveyed rate the extent of the threat as high or very high. No wonder, since there are enough weak points that hackers can use. An often underestimated and neglected Achilles heel is the ERP system. What can happen if protection is lacking here was already demonstrated at the end of 2015 at the Black Hat Europe conference: Experts have attacked ERP applications of an oil company in order to manipulate pipeline pressure.
This drastic scenario raises some questions for many companies. For example, where are the weak points and what can companies do to arm themselves? First answers to these questions are given in the following article, which is based on an expert survey by ERP News.
ERP software: What are the weak points?
The following applies to any software: the more complex, the more error-prone. ERP systems are no exception. Despite extensive tests, not all vulnerabilities are usually detected – some of them are even found outside the software:
Not using a VPN or frequent updates is one of the worst things you can do, to keep your ERP system safe. A VPN is not only used for unblocking geo restricted websites, it is mostly used for security concerns in any IT architecture.
Especially in medium-sized businesses, many companies have been using the same ERP system for decades. Those who do not maintain their software here for cost reasons often work with an outdated technology that facilitates an attack.
Even though the floppy disk age is long gone, many companies use outdated software and make it easier for hackers to infiltrate the system.
Another sore point is the increasing networking with other companies. In e-commerce in particular, interfaces are needed inside and outside the customer network that bridge the gap between the company and marketplaces such as Amazon and Ebay. “These interfaces are always critical points of attack,” says Axel Krämer, Head of Central Services at All for One Steeb AG. “One example is access to ERP systems via SSL-encrypted communication interfaces. If the latest encryption technology is not used here, the system has a serious weakness and offers room for data theft.”
The latest encryption technology is mandatory. SSL 3.0 was the latest version. The further development took place under the designation TLS, whereby the current version is TLS 1.2. In 2017 the successor TLS 1.3 will follow.
According to a study by the German Federal Office for the Protection of the Constitution, more than 30 percent of public attacks were triggered by internal perpetrators. The reasons for such attacks are multifaceted, as Dirk Bingler, spokesman for the management of GUS Deutschland GmbH, reports: “They range from disappointment, frustration at the workplace and private problems to simple ignorance of sensitive weak points in work processes. The lack of awareness of potential dangers is great, since visiting insecure websites at the workplace, a thoughtless click on e-mail attachments or using a private smartphone for company purposes via unencrypted connections is enough to grant access to harmful software.
It is precisely ignorance that opens the door to internal systems for many hackers. One wrong click and the malware can be used for espionage, for example.
As with any software, there is no absolute security with ERP systems. However, a few tips can minimize some risks:
- Status quo: In order to get an initial overview, the actual situation of the entire IT – and thus also of security – should be recorded. The first weak points or fields of action can then be identified from this. The definition of goals is also important here. Only then can concrete measures be developed.
- Updates: Regular updates and security updates are mandatory. This applies not only to the application itself, but also to all accompanying programs such as the corresponding firewall and the operating system on which the ERP solution runs.
- Employees: Since many employees are not fully aware of the dangers, companies should hold regular training sessions and raise awareness of the topic of IT security – among all employees, including the executive floor. In addition, system access should only be permitted to users who need it. Preventive and monitoring rights specifications in the form of access controls increase the security standard here.
ERP security: being comprehensively prepared for the future
ERP security is becoming an important building block in IT security. However, not many companies are aware of this. Most assume that the IT department is already taking care of the security of the ERP system – behind the company’s firewall. But that is careless. What is needed is the firm anchoring of this business-critical application in a well thought-out security concept.