Why Security Should Be A Priority For An ERP Ecosystem
In May of this year, organisations across the globe were hit by a malicious ransomware attack that left over 230,000 systems in a state of chaos, with hackers demanding ransom for systems to be returned to normal.
With up to 70,000 devices across 74 countries affected, the NHS was arguably the most widely reported in the UK with MRI scanners, medical storage fridges and operating theatre equipment taken out of action.
Unfortunately, the ‘WannaCry’ attack is not a standalone incident and the media is constantly plagued with stories of businesses that have been hacked or fallen victim to cyber crime. As these kind of attacks become more frequent, CTOs and CIOs continue to examine their current systems and prioritise security.
A need for awareness
With the security of the cloud, internet of things and big data all taking centre stage, the security of an organisation’s ERP system is often overlooked despite presenting significant vulnerabilities.
For example, in May 2015 it was reported that a flaw in US Investigations Service’s (a contractor in charge of conducting federal background checks) SAP system had led to the company being breached back in 2013 with hackers obtaining the data of over 27,000 employees.
Furthermore, a recent study by US firm, ERPScan, found that 89% of those asked expect to see cyber attacks against ERP systems increase with the average cost of a breach costing $5 million. Within the same study, 44% said that they monitored their system’s security but 14% alarmingly said they never analyse the security of their ERP systems.
With more connected devices allowing access to particular ERP systems and exposing potential weaknesses to be exploited, the time for CTOs and CIOs to analyse their ERP security is now.
Vendor security patches
It could be argued that one reason for a lack of awareness around ERP security is perhaps organisations’ over-reliance on vendors to provide security patches.
However, with current vendor security, patches are received monthly or even quarterly and on average, most customers don’t apply them for three to six months later, due to the time it takes to progress these patches through their internal test environments. This can leave customers vulnerable to threats for significant periods of time.
Additionally, ERP vendors such as Oracle typically provide a premier level of support on its latest products for a five-year cycle. Once this support period has ended customers either have to pay to upgrade to the latest version, often costing hundreds of thousands of pounds or they are downgraded to a lower level of support.
What’s more, customers who are on an extended support contract only receive patches and fixes for existing issues, meaning customers don’t have access to patches identified for new threats; leaving these customers even more exposed.
Custom patches from third party providers
Organisations need to apply a more proactive solution and monitor the endpoint of the servers and databases in question and observe the network traffic and signatures to identify malicious threats instantaneously then provide protection immediately.
The virtual patching approach provided by third-party ERP support providers enables organisations to apply fixes in almost real time as vulnerabilities arise, not weeks or even months down the line.
As well, an organisation’s Oracle or SAP systems are unique to them as they have the ability to add individual customisations and extensions. However, with their customer bases so expansive, vendors often only provide patches for general problems or if there are issues that have been widely experienced.
This can lead to some companies having a backlog of issues that the vendors can’t always support as their general patches can’t solve unique problems. Third-party support providers offer skilled and experienced teams who identify the patches required for individual SAP and Oracle systems.
Furthermore, virtual patching also addresses additional shortcomings some customers may experience with vendor support.
For example, organisations who are under an extended support contract would most likely only receive patches and fixes for existing issues meaning businesses don’t have access to new patches for their older systems. Yet, third party providers are able to offer patches for new threats regardless of how old their ERP systems are.
Staying secure
Whilst maintaining a secure ERP ecosystem is essential, there is no silver-bullet solution that will work for all organisations. However, for many CTOs and CIOs, the software manufacturers’ patching policies are outdated and do not address their security concerns.
Virtual patching is able to offer those organisations peace of mind that once a security threat arises, a solution will be available almost instantly. For example, the ‘WannaCry’ security threat first came to light on 12th May, however with virtual patching the vulnerability had already been identified back in March 2017 so supported organisations were protected and never at risk.
With an increasing amount of important data stored in various databases and organisations reliant on ERP software, it has never been more important for CTOs and CIOs to remain vigilant and educate themselves on ERP security to ensure their organisation remains operational during a cyber attack.
Source: information-age.com