ERP Security Deserves Our Attention Now More Than Ever
It comes as no surprise that new trends (the cloud, big data, the internet of things) increase the attack surface. However, even widely known technologies can be a security pitfall. When it comes to enterprise security, ERP systems -- the backbone of all key business processes and data -- can pose a hidden danger.
For example, back in 2014, USIS -- the largest commercial provider of background investigations to the U.S. government -- reported on the discovery that it had been breached the year prior. In May 2015, an investigation revealed that it was an ERP system from SAP that allowed alleged Chinese-sponsored hackers to break in and then pivot to the company’s network. It still remains unclear whether SAP was responsible and had not fixed the security loophole, or if USIS just failed in patching the flaw. As a result of the attack, hackers stole the personal data of at least 27,000 federal employees. Eventually, USIS filed for bankruptcy.
ERP security isn’t a brand-new topic; however, this concept has transformed significantly. Just seven years ago, ERP security was viewed as a segregation of duties only. This meant that preventing cases where an employee was solely responsible for one task was the main concern.
Nowadays, leading analysts mention (registration required) ERP security as a topic to watch, and critical vulnerabilities as well as even proven attacks on such systems hit the headlines on a regular basis.
There are several reasons why ERP cybersecurity deserves increased attention. First of all, the growing number of connected devices, which provide access to a particular system from anywhere, results in blurring network and organizational boundaries. Therefore, a traditional approach to cybersecurity -- one that focuses on enabling a secure perimeter around IT assets and then controlling access -- becomes almost ineffective.
This global trend affects business applications, too. From a legacy system available only inside a company and known by financial and HR departments, this software has transformed into a global IT platform, with cloud and mobile features and some that feature more than 2 million usersi nterconnected into a global chain.
Another reason behind the skyrocketing importance of ERP security is that attackers have changed their mindset. Having realized that attacks on businesses are more lucrative, malefactors have shifted their focus to them instead of hacking individuals. Since a typical ERP system stores customer data (72% of security experts include customer data in a list of top concerns, according to my company's ERP Security Survey 2017), employee data (66%) and emails (54%), it's easy to see why an ERP system is the ultimate target for cybercriminals.