Sergey Nivens - Fotolia
Your ERP is a treasure chest filled with valuable data -- and hackers may be planning a cyberattack right now. That's why your IT and infosec teams need to understand ERP security issues and best practices.
An ERP system is likely to contain both the company's intellectual property and employee and customer personally identifiable information, and it's critical to keep this data safe. But it's not easy.
ERP security issues
The typical ERP environment is a soft target. It includes multiple components, including network hosts, web components, databases, thick clients and mobile apps. These complexities keep IT and information security professionals on their toes year-round.
The computers and software associated with your ERP system are vulnerable to common security exploits, which can create serious challenges if you don't address them. Whether your system is on premises or in the cloud, you'll need to check for the following ERP security issues:
- missing software patches at the OS, application and database levels that can facilitate remote control, malware infections or denial of service attacks;
- system authentication mechanism flaws;
- SQL injection caused by a lack of input filtering;
- poor user management or privilege escalation vulnerabilities that cause access control gaps;
- data backup weaknesses that leave systems vulnerable to ransomware infections; and
- poor visibility across the network that limits security incident management and response.
The size of the organization or the industry doesn't matter -- these vulnerabilities affect all organizations.
Internal or external audit teams typically govern ERP systems. Security oversight often stops there, but it's not enough to ensure reasonable ERP security. As with any controls audit-type approach to information risk management, ERP security is often lacking in terms of technical vulnerability and penetration testing. This oversight can lead to the very security incidents that the core IT controls are trying to prevent. It's also common to see ERP systems not specifically included in the organization's overall incident response and business continuity plans.
Your organization's top leaders should understand that ERP security is a mission-critical priority, not just an IT-centric function. They should create metrics and make decisions about ERP security as part of a cross-functional group that includes IT, security, operations, finance and legal departments.
Your IT and infosec teams have ongoing duties. As part of ERP security best practices, IT professionals must scrutinize ERP environments in terms of security technologies, such as logging and alerting, multifactor authentication and data loss prevention or cloud access security broker. The same rule applies to ongoing security testing.
At a minimum, designated members of IT or infosec teams should run dedicated vulnerability scans using network vulnerability scanners such as Qualys and Nessus, and web vulnerability scanners such as Acunetix and Netsparker. They may find dedicated ERP testing tools, such as ERPScan, beneficial. They also need to make sure penetration testing and manual analysis accompanies automated scanning. IT and infosec teams can also consider database vulnerability scans using tools such as Scuba, source code analyses using tools such as Veracode and even network architecture and firewall configuration analyses to ensure that only those with a business need can access the environment.
Your IT security teams need to perform ERP security testing periodically and consistently -- at least once per year. They might not be able to oversee and test ERP system at these levels if they're using a third-party cloud-based system. In that case, the team should periodically review the security operations center audit report and ask to see a copy of the most recent vulnerability and penetration testing report. For the latter, an executive summary might be all you can obtain, which will typically suffice.
Using common sense and consistent oversight are two critical -- and often overlooked -- core ERP security best practices. The last thing that you need is to have your business's crown jewels exposed through a preventable weakness. Whatever decisions you make -- or don't make -- think things through and make sure all your choices are defensible.