5 ERP Security Risks to Be Aware Of
May 30, 2016
Shah Sheikh (1294 articles)

5 ERP Security Risks to Be Aware Of

One of the interesting things about the term ERP is that it is a name that as much describes what the software aspires to as what it actually does.

What do I mean by that?  Take the example of a manufacturing business and a consulting firm.  Beyond standard financial management modules, the functionality delivered by ERP systems for each company is very different.   But each system could still fairly be described as an ERP system.  What’s the common thread?

The common element that qualifies a system as an “ERP” is ultimately the aspiration of the software  to provide as “comprehensive” a solution as possible in terms of managing the full range of financial and operational tasks.  It’s also really “comprehensiveness” that is at the root of many of the core ERP benefits:  sharing data effectively across the enterprise, eliminating expensive and difficult to maintain integrations, and accelerating efficiencies and learning curves through a common software interface.

There’s a risk involved in this gathering together, though.  While it’s of course easier to carry the eggs in a single basket, it’s all the more important not to spill the basket.  Essentially, the broader the scope of your ERP system, the more important it is to inventory and address all security risks.

Read on to get insights direct from experts on what ERP threats and risks you need to be aware of and how to address these issues.

Risk 1:  Outdated, unsupported software can lead to crashes and integration issues

“One risk that companies often seem to be ignored is the risk of running outdated, unsupported software systems. Why does this matter? Because older software versions will not be compatible with and won’t integrate with newer products. Even servers and browsers can be adversely affected. And if the software is no longer supported, where will you go for help when (not if) your system crashes? Staying up to date means upgrading to the newest versions of the software you currently use, or, moving to a new software system altogether.” -Marcia Nita Doron, Marketing Director, Altico Advisors

Risk 2: Insufficient reporting capability can lead to external reporting and a loss of data control

“One of the top reasons driving new ERP purchases is that lack of functionality has caused users to not be able to access and analyze data with the tools available within their system.   As a result, users resort to more “user friendly” tools such as Excel and Access to create systems that are external to the ERP system and often hold critical information that is only available within them.   Over time as these propagate within the organization, management loses track of the extent and locations of “user systems” and they are not part of regular system backups.  So, if an employee were to leave or become disgruntled, the data could be permanently lost.  The solution is to establish a directory on a server that is regularly backed up, make it mandatory that these systems reside there.” -Ken Hilty, Vice President of Sales, e2b teknologies

Risk 3: Technical personnel and providers have access to make large scale changes to program behavior

“Rightfully so, many organizations focus enterprise system risk management primarily on external threats, data center procedures, and end-user security. However, when it comes to a software developer’s direct access to the system, this is an area that usually deserves more scrutiny. For example, controls should be in place to manage their ability to make program changes or prevent any other unauthorized updates to business data within the production system. But what is more frequently overlooked is their access to the “soft coded” system configuration settings. These are the parameters and switches that can make the software function very differently, without traditional programming.”  -Steve Phillips, Author, Control Your ERP Destiny

Risk 4: Delayed updates can lead to software vulnerabilities

“An often overlooked ERP/accounting software related security threat is related to the delay companies have updating their software. While all software manufactures are continuously improving their software (which often address security vulnerabilities), the SaaS model allows for real-time and continues updates.  Traditional on-premise ERP vendors are challenged when it comes to distributing updates.  The problem is that upgrading traditional on-premise ERP is hard.  66% of companies are not running on the most current version of their ERP system*.  As such, an astute hacker has a easy access to exploit the vulnerabilities that the manufacture has now pointed out.”  Kevin Lalor, President, Business Intelligence 101

Risk 5:  Lack of compliance with security standards

“One major area of security issues is compliance. For example, the Payment Card Industry’s Data Security Standard (PCI DSS) is a credit card industry requirement for being able to accept credit cards. Many legacy ERP systems are not compliant. Some very well known packages included.  Fundamentally the solution cannot store customer credit card numbers in any way in a non-heavily encrypted format. Those numbers cannot include the 3 or 4 digit security code. Those numbers should never be retrievable to employees beyond the last 4 digits. There are numerous back end requirements about having powerful firewall, very strong passwords, no ‘back doors’, and tight controls on data and backups.” -Mark Chinsky, Owner, Clients First Business Solutions

Source | ERPSoftwareBlog