What are the min security risks for your ERP?

One of the interesting things about the term ERP is that it is a name that as much describes what the software aspires to as what it actually does. What do I mean by that?  Take the example of a manufacturing business and a consulting firm.  Beyond standard financial management modules, the functionality delivered by ERP systems for each company is very different.   But each system could still fairly be described as an ERP system.  What's the common thread? The common element that qualifies a system as an "ERP" is ultimately the aspiration of the software  to provide as "comprehensive" a solution as possible in terms of managing the full range of financial and operational tasks.  It's also really "comprehensiveness" that is at the root of many of the core ERP benefits:  sharing data effectively across the enterprise, eliminating expensive and difficult to maintain integrations, and accelerating efficiencies and learning curves through a common software interface. There's a risk involved in this gathering together, though.  While it's of course easier to carry the eggs in a single basket, it's all the more important not to spill the basket.  Essentially, the broader the scope of your ERP system, the more important it is to inventory and address all security risks. Read on to get insights direct from experts on what ERP threats and risks you need to be aware of and how to address these issues. Risk1:  Outdated, unsupported software can lead to crashes and integration issues “One risk that companies often seem to be ignored is the risk of running outdated, unsupported software systems. Why does this matter? Because older software versions will not be compatible with and won’t integrate with newer products. Even servers and browsers can be adversely affected. And if the software is no longer supported, where will you go for help when (not if) your system crashes? Staying up to date means upgrading to the newest versions of the software you currently use, or, moving to a new software system altogether.” -Marcia Nita Doron, Marketing Director, Altico Advisors Risk2: Insufficient reporting capability can lead to external reporting and a loss of data control "One of the top reasons driving new ERP purchases is that lack of functionality has caused users to not be able to access and analyze data with the tools available within their system.   As a result, users resort to more “user friendly” tools such as Excel and Access to create systems that are external to the ERP system and often hold critical information that is only available within them.   Over time as these propagate within the organization, management loses track of the extent and locations of “user systems” and they are not part of regular system backups.  So, if an employee were to leave or become disgruntled, the data could be permanently lost.  The solution is to establish a directory on a server that is regularly backed up, make it mandatory that these systems reside there." -Ken Hilty, Vice President of Sales, e2b teknologies Risk3: Technical personnel and providers have access to make large scale changes to program behavior "Rightfully so, many organizations focus enterprise system risk management primarily on external threats, data center procedures, and end-user security. However, when it comes to a software developer’s direct access to the system, this is an area that usually deserves more scrutiny. For example, controls should be in place to manage their ability to make program changes or prevent any other unauthorized updates to business data within the production system. But what is more frequently overlooked is their access to the “soft coded” system configuration settings. These are the parameters and switches that can make the software function very differently, without traditional programming."  -Steve Phillips, Author, Control Your ERP Destiny Risk4: Delayed updates can lead to software vulnerabilities "An often overlooked ERP/accounting software related security threat is related to the delay companies have updating their software. While all software manufactures are continuously improving their software (which often address security vulnerabilities), the SaaS model allows for real-time and continues updates.  Traditional on-premise ERP vendors are challenged when it comes to distributing updates.  The problem is that upgrading traditional on-premise ERP is hard.  66% of companies are not running on the most current version of their ERP system*.  As such, an astute hacker has a easy access to exploit the vulnerabilities that the manufacture has now pointed out."  Kevin Lalor, President, Business Intelligence101 Risk5:  Lack of compliance with security standards "One major area of security issues is compliance. For example, the Payment Card Industry’s Data Security Standard (PCI DSS) is a credit card industry requirement for being able to accept credit cards. Many legacy ERP systems are not compliant. Some very well known packages included.  Fundamentally the solution cannot store customer credit card numbers in any way in a non-heavily encrypted format. Those numbers cannot include the3 or4 digit security code. Those numbers should never be retrievable to employees beyond the last4 digits. There are numerous back end requirements about having powerful firewall, very strong passwords, no 'back doors', and tight controls on data and backups." -Mark Chinsky, Owner, Clients First Business Solutions By Guest Blogger:  Adam Bluemner is the Project Specialist Manager for FindAccountingSoftware.com, a service providing free software selection assistance.  Over the last decade Adam has spoken with over10,000 companies, helping them achieve business success through intelligent software investment.  Adam writes extensively on ERP and business software.   

Delayed updates can lead to software vulnerabilities & Lack of compliance with security standards

Midware, integration and data access staging should have security rules to narrow the view scope and to serve only the integration requirement.

The Min Security Risks are distributed through the ERP governance layers, the blind corners or "mute points” are usually found in the very root of DB Access, rolling up to midware and integrations e.g. web service and API, moving further to remote access and landing to user level access and casual data exchange.

If the governance standards don’t cover these areas we will have lethal loose ends that may cause tangible damage.

- DB Access should be strictly regulated with limited SYSADMIN PWs. the physical backups should be secured and regulated as well.

- Midware, integration and data access staging should have security rules to narrow the view scope and to serve only the integration requirement.

- VPN and remote access should have enough security resources to safeguard the data when cyberred through the internet.

- User access has to be designed as per desired role, audit trail should be activated, and to strictly regulate unattended open desktops or unguarded ERP printouts and documentation, finally to prevent the casual exchange of unprotected files through mails or storage media. 

Think in this way : While it's of course easier to carry the eggs in a single basket, it's all the more important not to spill the basket.

So what can we do to improve ERP security? This really has not changed but the need to be vigilant is as important as ever.Keep in mind the following :

1:  Outdated, unsupported software can lead to crashes and integration issues

2: Insufficient reporting capability can lead to external reporting and a loss of data control

3: Technical personnel and providers have access to make large scale changes to program behavior

4: Delayed updates can lead to software vulnerabilities.

5:  Lack of compliance with security standards

Unauthorized view access to the ERP.

Explanation: min means minimum so it is the lease value, for example if we say what is the min value in this array [1,2,3] the answer will be1.

Risk: could be opportunity or threat in this case I consider the risk to be a threat and risk is something that could or couldn’t happen in the future.

Security: access is for authorized only

Min security risk: is the least probability and least effect of this thing that could happen in the future, so

Unauthorized view access to the ERP could be the correct answer.   

Thank you for your answers and I would like to add the following:

Your User Passwords Last Forever

Employee turnover may be frequent and often you will remember to stop their no longer needed access. But everyone gets hacked from time to time and your users can be victimized in a multitude of ways if passwords are not changed frequently. Less obvious are your external users. You granted a password to your best customer so they could check on order status. Have you vetted all of their employees? That could be a problem and allowing their password to stay active forever only compounds the potential ERP security risk.

You Have Enabled Applications That Are Unnecessary

Many of these applications are useful time savers. These days, a lot of applications automatically load into start menus to better serve you by staying up to date. Do you know what you accidentally authorized by not unchecking every box? Probably not. Any of your users could have installed malware that could remain unnoticed and dormant. Running checks regularly on every computer is essential, even for the most basic of ERP security processes.

You Need to Be More Aware of Mobile Users

Your users want to access your ERP from their tablets and smart phones. OK, but each device enables a user with a relatively insecure device to connect within your ERP. You haven’t had any ERP security issues yet – but they are coming soon, when you are least expecting it. Install security software on the devices before allowing access.

You Trust Your Users

Your ERP data is your whole business – it is valuable. And your users can extract data to a thumb drive or send it by email anywhere. Develop an ERP data security audit system to track who used what data and what they did with it. Be sure the audit system has alarms to let you know when something suspicious is happening and not after the damage is already done.

You Just Don’t Realize How Open Your ERP Is to the Web

You don’t have a cloud ERP system so why worry? All modern ERPs use internet connections between users and the system. All allow access from outside. Install firewalls, use the best virus software and keep it current.