Enterprise resource planning (ERP) solutions are complex applications and by the nature and with that complexity comes an increased concern regarding the application’s security. Combine the ERP system’s complexity with the fact that it is responsible for housing a great deal of sensitive data related to financial resources, intellectual property and personnel data and it is easy to see why this resource becomes a target for cyber attacks.
As with any enterprise application, the ERP solution has developed certain myths surrounding its security; and unless your organization understands the truth behind these myths the system may be at greater risk. Below are some of the more common beliefs regarding ERP security along with an explanation that dispel these beliefs.
ERP systems are internal or closed
Many believe that the ERP system sits behind the many layers of the security infrastructure. Since there is no way for an outside threat to access the system, there is no need to worry. This, however, is untrue on many levels.
To begin with, many ERP solutions exist in the cloud. In these instances the thought that the software and data sit behind the safety of an organization’s technical controls is false. But even those hosted on-site aren’t completely sealed off. Mobile access presents an exploitable entry to the ERP system as do the many open connections to suppliers, vendors and others outside of the organization. Finally, through a successful spear phishing email an outside attacker has the ability to compromise accounts and assets with access to the ERP system giving them full access to the software and all of its data.
The software is secured by default
The thought that the default settings of any application is secure is one of the biggest misnomers there is. Default administrator names and passwords should be reason enough to think twice about trusting software out of the box, but combine this with user roles and the thousands of other settings that are involved with a large ERP solution. Do that and it is easy to see that in order to properly lock down this application time needs to be spent customizing settings to meet a specific organization’s infrastructure and policies.
Security is the responsibility of the vendor
While you should hope that the vendor provides you with a secure product, it is only going to be patched against the known vulnerabilities at the time it was packaged. Each day new zero day threats emerge to expose vulnerabilities in different types of software. It is the owner’s responsibility to make sure that they patch their ERP software, as well as the server software, regularly to defend against new exploits.
Also, not all threats are vulnerabilities in the software itself. Insider threats, spear phishing attacks and administration failures cannot be blamed on the vendor.
If there is one take away from this it should be that ERP software is just as susceptible to attacks as any other enterprise application. Whether it is hosted in the cloud or on-site, care needs to be taken to ensure that everything possible is done to protect against attacks; and that responsibility lies on the shoulders of the customer. In order to keep your business and customer data safe you need to do everything you can to ensure that your ERP solution is not vulnerable. If this means you need to bring in outside help, then make sure your consultants are able to assist you in securing your solution through its entire lifecycle.
The post 3 Myths Surrounding ERP Security appeared first on Merit Solutions.