After a tumultuous 2017, cybersecurity is undoubtedly a top-of-mind issue for every organization. With information security spending on the rise (Gartner predicts it will grow to $93 billion worldwide in 2018), organizations must start to identify the key facets of their business that require significant protection against malicious attacks, one of which is enterprise resource planning (ERP) software.
ERP acts as the central nervous system of most organizations; it contains and controls just about every relevant piece of data in a business—such as inventory counts, financial records, manufacturing details, pricing information, customer requests, and much more. And, while having all that data in one centralized, easy-to-access location is incredibly efficient, ERP systems that aren’t properly protected are also a treasure trove for hackers, snoopers, and other not-so savory individuals.
With so many layers that may be vulnerable to attack, securing an ERP system involves much more than just one piece of cybersecurity software. For every organization looking to up their cybersecurity strategies, here are five signs that indicate an ERP system and the mission-critical data it houses—both corporate and customer—might be susceptible to an attack.
Here are five signs a company may be at risk:
- No one knows where and how sensitive data is stored, or who has access to it.
Every business should know where its most vulnerable data exists. If it doesn’t, there’s a very high chance that the company will fall victim to a cyberattack. The first step to preventing this from happening is identifying what the company’s most mission-critical data is—whether it’s financials, customer and vendor information, payment details, employee records, and/or sensitive emails. From there, the organization should figure out where and how that data is stored. Is it on a hard drive, a cloud drive, a backup drive, or a USB thumb drive? And, is it stored as “plain text”—or readable data—or is there some type of encryption?
If the ERP system stores most of a company’s sensitive data (which, as previously mentioned, is often the case), the ERP vendor must qualify the safety of the platform and its ability to securely store data. Encryption is one identifier of a strong ERP system, but the ability to create role-based security levels for information access showcases an even higher level of protection in ERP systems. Some vendors have the ability to ensure employees only have access to the information they need for their specific job, eliminating the potential of other confidential data being comprised.
In addition to evaluating the ERP vendors’ safety measures, companies should also consider implementing a strong backup strategy. If an attack like ransomware occurs—where a hacker encrypts company data and demands payment—having a backup in place would prevent a devastating loss. Then, all the company would need to do is simply restore the data and get back to work
- No one knows when the company last applied patches.
An ERP platform is part of a larger ecosystem of software and hardware that works together to keep a system secure, and a regular part of keeping that system healthy and strong is applying security patches. Patches need to be regularly applied to hardware and network devices, operating systems, anti-virus, and other software applications to ensure they’re preventing potential breaches.
This was a particularly critical factor with the WannaCry ransomware virus in May 2017, when hackers hit computers in more than 150 countries around the world, but not all computers were infected. The ones that were impacted had not been patched with the latest security update from Microsoft—a critical step that had been overlooked by those organizations.
Thankfully, most ERP vendors regularly update their systems with security patches to protect data and seal up any possible holes, which is a qualification every organization should consider when selecting an ERP software. The most security-minded ERP vendors send out multiple patch updates a year and offer immediate fixes for anything time-sensitive.
- The company has no idea what tools are running.
If a company doesn’t have an easy way of identifying every software and hardware tool that’s running in its environment, it could be flying blind from a security standpoint. In order to apply patches and remove rogue software from the system, company executives and IT professionals must know what’s running. There are several software solutions, such as Spiceworks, for example, that can scan a company’s network and tell them what is running and where. Having precise insight on this will allow companies to build a software/hardware inventory of everything in its network. From there, it will be easy for internal experts to ensure everything is patched and secure—especially the tools that run in concert with an ERP platform.
- The company lacks strong email protection.
Email is one of the most common ways for malicious individuals to gain access to an organization’s systems. This has been evidenced by nearly every recent, high-profile attack, most notably the one that impacted Hillary Rodham Clinton. In 2016, Clinton’s campaign manager, John Podesta, inadvertently fell prey to a phishing email from Russian hackers, giving the malicious group access to private communications involving the Democratic National Committee. More recently, it was then-Homeland Security adviser Tom Bossert who fell victim to a fake party e-vite from a hacker pretending to be Jared Kushner.
At the end of the day, if a phishing scam can happen to a high-ranking campaign official and a White House security adviser, it can happen to anyone and any organization. Businesses must take the necessary preventive measures by applying a software tool that protects emails from spam, phishing attacks, malware, and viruses. Moreover, for those organizations operating in highly regulated industries, adopting a protocol like the Domain-based Message Authentication Reporting and Conformance (DMARC) to validate email authentication may be a necessary extra step. Security experts consider this “perimeter” protection one of the most important layers of an organization’s security—and with hackers blocked from entering the “front door” of the business via email, protecting the mission-critical data in systems like ERP will be much easier.
- Employees haven’t been educated on cybersecurity.
No matter what the company size, executives should have a talk with every employee about basic security practices at least once a year—especially if the organization employs any remote or freelance workers. This tactic is particularly important for educating employees on one of the more common types of hacks: social engineering.
Social engineering involves hackers trying to trick an unknowing person into divulging secure information, and the scams can be quite convincing. Take the city of Keokuk, Iowa, for example, where in January 2018, a city employee was duped into handing over W2 information for employees and elected officials. In addition to being on the lookout for email scams, employees should have a good understanding of company password policies, third-party software, and data protection. They should also understand common threats like malicious web sites, fake Wi-Fi access points, and the problem with reusing credentials.
It is essential that every single employee—from the night shift worker to the CEO —is educated on how to identify these types of scams to prevent potentially granting hackers access to the ERP system and all of the confidential data the platform keeps.
For companies that leverage the power of ERP systems to store, manage, and distribute information, having an airtight security strategy is incredibly necessary. With hackers advancing their tactics and more organizations, executives, and even government officials falling victim, every business should ensure they are not making the above mistakes, and in the process, putting both their corporate and customer information at risk.