Sergey Nivens - Fotolia


Why companies should make ERP security a top priority

Whether your ERP system is on premises or in the cloud, it's still vulnerable, and you need to take the right measures to secure it. Here's advice on how to do just that.

Your ERP is a treasure chest filled with valuable data -- and hackers may be planning a cyber attack right now. That's why your IT and infosec teams need to understand ERP security issues and best practices.

An ERP system is likely to contain both the company's intellectual property and employee and customer personally identifiable information, and it's critical to keep this data safe. But it's not easy.

The typical ERP environment is a soft target. It includes multiple components, including network hosts, web components, databases, thick clients and mobile apps. These complexities keep IT and information security (infosec) professionals on their toes year-round.

ERP security issues

The computers and software associated with your ERP system are vulnerable to common security exploits, which can create serious challenges if you don't address them. Whether your system is on premises or in the cloud, you need to check for common ERP security issues. Here are six common issues:

  1. missing software patches at the OS, application and database levels that can facilitate remote control, malware infections or DoS attacks;
  2. system authentication mechanism flaws;
  3. SQL injection caused by a lack of input filtering;
  4. poor user management or privilege escalation vulnerabilities that cause access control gaps;
  5. data backup weaknesses that leave systems vulnerable to ransomware infections; and
  6. poor visibility across the network that limits security incident management and response.

The size of the organization or the industry doesn't matter -- these vulnerabilities affect all organizations.

ERP security often overlooked

Internal or external audit teams typically govern ERP systems. Security oversight often stops there, but it's not enough to ensure reasonable ERP security. As with any controls audit-type approach to information risk management, ERP security is often lacking in terms of technical vulnerability and penetration testing. This oversight can lead to the very security incidents that the core IT controls are trying to prevent. It's also common to see ERP systems not specifically included in the organization's overall incident response and business continuity plans.

Your organization's top leaders should understand that ERP security is a mission-critical priority, not just an IT-centric function. They should create metrics and make decisions about ERP security as part of a cross-functional group that includes the IT, security, operations, finance and legal departments.

The need to test ERP security

Your IT and infosec teams have ongoing duties. As part of ERP security best practices, IT professionals must scrutinize ERP environments in terms of security technologies, such as logging and alerting, multifactor authentication, and data loss prevention or cloud access security broker. The same rule applies to ongoing security testing.

Whatever decisions you make -- or don't make -- think things through, and make sure all your choices are defensible.

At a minimum, designated members of IT or infosec teams should run dedicated vulnerability scans using network vulnerability scanners, such as Qualys and Nessus, and web vulnerability scanners, such as Acunetix and Invicti. They may find dedicated ERP testing tools, such as ERPScan, beneficial. They also need to make sure penetration testing and manual analysis accompany automated scanning. IT and infosec teams can also consider database vulnerability scans using tools such as Scuba, source code analyses using tools such as Veracode, and even network architecture and firewall configuration analyses to ensure that only those with a business need can access the environment.

Your IT security teams need to perform ERP security testing periodically and consistently -- at least once per year. They might not be able to oversee and test the ERP system at these levels if they're using a third-party cloud-based system. In that case, the team should periodically review the security operations center audit report and ask to see a copy of the most recent vulnerability and penetration testing report. For the latter, an executive summary might be all you can obtain, which typically suffices.

Using common sense and consistent oversight are two critical -- and often overlooked -- core ERP security best practices. The last thing that you need is to have your business's crown jewels exposed through a preventable weakness. Whatever decisions you make -- or don't make -- think things through, and make sure all your choices are defensible.

Next Steps

Unpatched applications threaten SAP security

Dig Deeper on ERP implementation

Data Management
Business Analytics
Content Management