Sergey Nivens - Fotolia


Why companies should make ERP security a top priority

Whether your ERP system is on premises or in the cloud, it's still vulnerable -- and you need to take the right measures to secure it. Here's advice on how to do just that.

Your ERP is a treasure chest filled with valuable data -- and hackers may be planning a cyberattack right now. That's why your IT and infosec teams need to understand ERP security issues and best practices.

An ERP system is likely to contain both the company's intellectual property and employee and customer personally identifiable information, and it's critical to keep this data safe. But it's not easy.

ERP security issues

The typical ERP environment is a soft target. It includes multiple components, including network hosts, web components, databases, thick clients and mobile apps. These complexities keep IT and information security professionals on their toes year-round.  

The computers and software associated with your ERP system are vulnerable to common security exploits, which can create serious challenges if you don't address them. Whether your system is on premises or in the cloud, you'll need to check for the following ERP security issues:

The size of the organization or the industry doesn't matter -- these vulnerabilities affect all organizations.

ERP issues

Internal or external audit teams typically govern ERP systems. Security oversight often stops there, but it's not enough to ensure reasonable ERP security. As with any controls audit-type approach to information risk management, ERP security is often lacking in terms of technical vulnerability and penetration testing. This oversight can lead to the very security incidents that the core IT controls are trying to prevent. It's also common to see ERP systems not specifically included in the organization's overall incident response and business continuity plans.

Your organization's top leaders should understand that ERP security is a mission-critical priority, not just an IT-centric function. They should create metrics and make decisions about ERP security as part of a cross-functional group that includes IT, security, operations, finance and legal departments.

Your IT and infosec teams have ongoing duties. As part of ERP security best practices, IT professionals must scrutinize ERP environments in terms of security technologies, such as logging and alerting, multifactor authentication and data loss prevention or cloud access security broker. The same rule applies to ongoing security testing.

At a minimum, designated members of IT or infosec teams should run dedicated vulnerability scans using network vulnerability scanners such as Qualys and Nessus, and web vulnerability scanners such as Acunetix and Netsparker. They may find dedicated ERP testing tools, such as ERPScan, beneficial. They also need to make sure penetration testing and manual analysis accompanies automated scanning. IT and infosec teams can also consider database vulnerability scans using tools such as Scuba, source code analyses using tools such as Veracode and even network architecture and firewall configuration analyses to ensure that only those with a business need can access the environment.

Whatever decisions you make -- or don't make -- think things through and make sure all your choices are defensible.

Your IT security teams need to perform ERP security testing periodically and consistently -- at least once per year. They might not be able to oversee and test ERP system at these levels if they're using a third-party cloud-based system. In that case, the team should periodically review the security operations center audit report and ask to see a copy of the most recent vulnerability and penetration testing report. For the latter, an executive summary might be all you can obtain, which will typically suffice.

Using common sense and consistent oversight are two critical -- and often overlooked -- core ERP security best practices. The last thing that you need is to have your business's crown jewels exposed through a preventable weakness. Whatever decisions you make -- or don't make -- think things through and make sure all your choices are defensible.

Next Steps

Unpatched applications threaten SAP security

Dig Deeper on ERP software selection and implementation