arthead - stock.adobe.com
The growth of remote work since the beginning of the COVID-19 pandemic has led to previously unimagined attack surfaces and risk. Ransomware and other external threats are taking over the most resilient organizations, and ERP systems are exposed like never before.
Most of these security issues are nothing new, but they've grown exponentially. The first step to improving company security is acknowledging today's challenges.
Here are the most common ERP security issues and how to address them.
1. Unknown vulnerabilities
Many organizations haven't fully identified their security gaps, let alone addressed them. The most common ERP security problem is IT and security staff not knowing what they don't know.
IT leaders must first gain a thorough knowledge of their company's ERP security risks before taking any other action.
2. Missing software updates
Many workstations and servers are missing needed software updates. These omissions can include outdated ERP software as well as inadequately maintained underlying operating systems and supporting applications. Lack of updates can lead to anything from malware infections to denial of service attacks to full remote unauthenticated access.
Despite the possibility of critical systems experiencing system outages and downtime, IT teams must update software and implement security patches regularly.
3. Weak ERP authentication
Inadequate logins can include weak passwords, shared accounts and a lack of multifactor authentication. At a minimum, ERP authentication should be as strong as internal domain account controls. When the system uses unique credentials, this standard usually isn't met.
Strengthen logins if needed to avoid problems down the line.
4. Web application-specific vulnerabilities
Some web applications allow SQL injection and privilege escalation, and they possess business logic flaws that allow users to manipulate parts of the system that should otherwise be disallowed or blocked.
Be aware of which applications possess or permit these potential problems.
5. Open network shares
Certain ERP systems -- usually older ones -- require all network users to have access to the ERP system folders. This practice is extremely unsafe and can lead to ransomware and unauthorized access.
Consider a software change if the current ERP system mandates these permissions.
6. Lack of issue flagging
Employees must notify IT or other tech leaders immediately when an ERP security issue occurs. Educate employees about the importance of flagging problems so IT and other departments are aware of any potential issues before the problem becomes even bigger.
7. Lack of incident response planning
Most organizations have not documented an incident response plan for protecting or recovering their ERP system. Make a plan now to avoid scrambling during a crisis.
8. Lack of proper testing
IT leaders can't address the most common ERP security issues if they don't know about them. Implement periodic and consistent vulnerability scans and penetration testing that go beyond IT control audits.
The tests will help ensure that IT finds any potential problems and then fixes them.
9. Unclear employee expectations
Many organizations have poorly documented security policies. And many employee handbooks barely mention employee tech expectations. Remote work can muddy the waters even further.
A security committee should work alongside legal counsel and human resources to ensure tech use rules are clear and employees are well-trained on security issues, acting in support of security rather than against it.
10. Lack of ongoing education for technical staff
Tech staff must stay up to date on the most common ERP security issues as those issues grow and change. They also need to understand the latest security training and practices. Unnecessary risk can occur if staff are using out-of-date practices, so continuing education is essential.
About the author
Kevin Beaver, CISSP, is an independent information security consultant, writer and professional speaker with Atlanta, Ga.-based Principle Logic. Author of the best-selling book Hacking For Dummies, he specializes in vulnerability and penetration testing, security program reviews and virtual CISO consulting work.