The Biggest Threats Impacting ERP Security

In many ways, ERP systems act as the hub of a business. These applications are mainly represented by “mega-vendors” such as SAP, Microsoft, and Oracle, and handle the most sensitive and valuable data within an organization. It’s where customer, sales, financial, product, services, employee information, and trade secrets live. A breach of such critical applications can lead to unexpected downtime, increased compliance risk, diminished brand confidence, and project delays. Yet, more than half (64%) of IT decision makers whose organizations rely on SAP or Oracle E-Business Suite confirmed in a recent survey that their ERP applications have been breached in the last 24 months.

In light of this, we sat down with Mariano Nunez, CEO of application cybersecurity company, Onapsis, to learn more about some of the biggest threats impacting ERP security today.

Q: What challenges do companies face when it comes to protecting ERP applications?

A: Even a few years ago, when organizations traditionally ran their ERP applications internally, isolated from the outside world and accessible only by internal employees, network segmentation and filters were not enough to protect them. The situation is even worse in the current landscape, where initiatives such as digital transformation and the move to the cloud push companies to expose sensitive business information outside the four walls of their organization. While these moves often save money and make businesses more nimble, they also increase the potential attack surface, with data traversing between mobile applications, cloud environments, and web applications.

Q: How do cloud migrations, in particular, impact ERP security?

A: With the progression of digital transformation initiatives, many business-critical applications are being migrated, if not already running, in hosted environments. These hosted environments run in external data centers, managed by leading cloud provides such as Amazon, MS Azure, Google, IBM, or SAP.

These applications are connected to an on-premise environment and are potentially available over the internet. In fact, 74% of respondents to a recent IDC survey indicate their large ERP applications are currently accessible via the internet. This connection adds another layer of complexity and increases the potential attack surface.

This shouldn’t scare companies who are moving their systems to the cloud to take advantage of cost savings and improved business functionality; it is just becomes more important they are properly protected.

Q: What is the potential financial impact of an ERP breach?

A: Nearly one in three (35%) respondents to IDC’s ERP security risk survey believe ERP application downtime could cost their organization over $50,000 per hour. Twenty-nine percent of respondents thought ERP downtime could cost their organization more than $100,000 per hour. No two attacks are the same, but with these kinds of statistics, it’s clear attacks on ERP applications can cause serious financial impact to virtually all businesses.

Q: What can organizations do to maintain adequate ERP security and IT controls?

A: There is no silver bullet to security, but there are many steps organizations can take to bolster their protection, including:
• Ensure continuous monitoring of threats (both internal and external) for all business-critical applications has been properly established.
• Implement a patch management solution to ensure critical security patches for your ERP systems are reviewed and implemented.
• Establish security controls for the customized code used in your business-critical applications for financial reporting.
• Ensure key cybersecurity controls are being mapped to regulations, including SOX, NERC-CIP, PCI, GDPR and others.

In today’s environment, business-critical applications are more and more exposed and connected to multiple networks and applications. These opportunities can be leveraged by attackers to compromise your organization’s business processes and exploit the crown jewels of your company. This further proves the need for specialized technology that understands business-critical applications and provides the right level of visibility and protection to rest assured that the most important information and processes within your organization are protected.

Looking for more? Download our Enterprise Resource Planning Buyers Guide for free to compare the top-24 products available on the market with full page vendor profiles, key capabilities, an ERP software market overview, our bottom-line analysis, and questions for prospective buyers.

And don’t forget to follow us on Twitter, Facebook and LinkedIn for all the latest in the ERP space!