Everything you need to know about ERP solutions and cybersecurity

One of the biggest problems we face as researchers is identifying the relevant questions to ask. This makes curiosity a particularly important trait to have. In addition, you have to be aware of your own deficiencies and open to the fact that there are always going to be things you or your team do not know.

This became more than apparent to us recently when asked by a colleague what content we had around the subject of ERP security, to which we had to answer that we had nothing!! This post is now an attempt to rectify that, at least at a very high level, as after all we are not ERP experts.

An Enterprise Resource Planning solution, also known as an ERP solution, is a set of software programmes that is designed to manage and integrate a company's core business processes, such as financial management, supply chain management, human resources management, customer relationship management, and inventory management, into a single unified system.

ERP systems usually work from a centralised database, thus allowing all departments within an organisation to get access to the information contained inside the system. Because of this, they can simplify and automate their procedures leading to lower operating costs and boosting their overall efficiency.

On the market today, there is a wide selection of ERP providers, each of which offers a bespoke collection of features and options. Some of the top vendors/products in the Enterprise Resource Planning (ERP) space include the following:

• SAP is one of the most well-known and widely used enterprise resource planning (ERP) software suppliers in the world. They provide an extensive selection of ERP solutions that are geared towards a variety of business sectors and company sizes.
• Oracle is another industry-leading ERP vendor that provides solutions for a variety of businesses, including retail, healthcare, and manufacturing, amongst others.
• Microsoft Dynamics is a suite of enterprise resource planning (ERP) tools that can interface with other Microsoft products, such as Microsoft Office. It is geared towards both micro and medium-sized companies.
• Infor is a provider of ERP solutions that are tailored to various industries, like the healthcare industry, the manufacturing business, and the hotel industry.
• Epicor provide ERP systems for the manufacturing, wholesale distribution, retail, and service industries respectively.
• Sage is a provider of business management software and services, including ERP solutions for companies of all sizes, with a particular focus on those in the small and medium company sectors.

An ERP solution is often made up of several different components that, when combined, form a comprehensive management system for a company's many business activities. These parts include the following:

• Core ERP system: This is the key component of the ERP solution that provides capability for managing core business processes, such as financial management, inventory management, supply chain management, human resources management, and customer relationship management.
• Database: An enterprise resource planning (ERP) system would normally make use of a centralised database to store the information it requires. This includes data on customers, suppliers, inventories, transactions, and any other business-related information that may be relevant.
• Business intelligence and reporting: ERP solutions frequently contain reporting and analytics capabilities that enable users to generate reports, analyse data, and get insights into business operations. These tools enable users to achieve a competitive advantage in their respective industries.
• Integration modules: Enterprise resource planning (ERP) solutions frequently feature integration modules that make it possible for the system to interface with other business applications including customer relationship management (CRM) software, e-commerce platforms, and supply chain management systems.
• Tools for customisation: Enterprise resource planning (ERP) solutions frequently contain tools for customization, which provide users the ability to customise the system so that it better meets their unique company requirements. This may involve user interface modifications, procedures, and specialised fields.
• Access restrictions, data encryption, and auditing capabilities are some examples of the security features that are included in ERP packages. These features are included to help safeguard important corporate data.

These components, when combined, work together to offer a comprehensive system for the management and automation of business processes, the enhancement of operational efficiency, and the provision of greater insight into business operations.

An enterprise resource planning (ERP) solution is an essential system that is used to handle and store sensitive corporate data, making it an attractive target for cyber criminals. As a result, a thorough threat model needs to be developed in order to detect potential dangers and openings in the ERP system's defences that could result in a security breach.

The following is a list of some of the most important aspects that make up a risk management model for an ERP solution:

• Identify prospective adversaries who could attempt to attack the ERP system, such as cybercriminals, hackers, company insiders, and other businesses in your industry.
• Identify possible vectors that attackers could use to exploit weaknesses in the ERP system. Some examples include vulnerability exploitation, phishing, and social engineering attacks.
• Identify potential vulnerabilities that may be exploited by attackers, such as unpatched software, weak passwords, unsecured network connections, or unsecured endpoints.
• Develop and put into place effective security controls to avoid and mitigate potential threats, such as encryption, access controls, monitoring, and frequent security audits. These methods are referred to as mitigation strategies.
• It is also necessary to determine the applicable compliance rules and regulations that relate to the ERP solution, such as GDPR, HIPAA, or PCI DSS, and to ensure that the system complies with these standards.
• Determine what the potential consequences of a successful attack on the ERP solution would be, such as monetary loss, damage to the company's reputation, or legal liability, and devise a strategy for how to react when security breaches occur.

There are, without a doubt, several dangers that are exceptional to or peculiar to ERP systems. These include the following:

• Inaccurate data: For proper operation, ERP solutions require data that is both accurate and complete. It is possible for there to be errors, inefficiencies, and security concerns if there is missing data, incomplete data, or erroneous data.
• Complexity: ERP solutions can be notoriously difficult to manage and secure due to their high degree of complexity and the level to which they can be customised to specific business needs. It can be difficult to identify and mitigate risks due to these complexities, which may be made worse by the introduction of security vulnerabilities caused by customisations.
• Third-party integrations: ERP solutions frequently integrate with third-party systems and applications, which can present a security risk if the integrating systems are not well secured.
• Insider threat: ERP systems have the potential to be subject to insider attacks, which can include personnel who abuse their access, purposefully create security flaws, or even just inadvertently make mistakes.
• Attacks from the internet: If exposed and not properly secured, ERP solutions are a desirable target for attacks from the internet, leading malware infection, Cyber Extortion and the theft of sensitive or valuable corporate data.

It is essential for businesses to implement a comprehensive security strategy that includes regular security assessments, vulnerability testing, employee training, and stringent access controls in order to reduce the impact of these unique threats and risks and protect their ERP solution from security breaches.

The security of ERP solutions is comprised of several different components, all of which collaborate to safeguard the system from various dangers and weaknesses. These parts include the following:

• Access controls: Access controls are used to ensure that the ERP system is only accessible to people who have been specifically authorised to do so. This includes features such as multi-factor authentication, strong passwords, and role-based access controls, and others.
• Encryption: Encryption is utilised for the purpose of protecting sensitive data both while it is in transit and while it is at rest. This includes precautions such as encrypting network communication with SSL/TLS and encrypting sensitive data stored in the database.
• Network security: The ERP system should be protected from network-based attacks and denial-of-service attacks by using network security measures. Firewalls, intrusion detection and prevention systems, and routine network scans are some examples of the security measures that fall under this category.
• Patch management: Conducting routine patch management is essential for mitigating vulnerabilities and ensuring that the ERP system is always current with the most recent security patches and updates.
• Employee training: It is vital to train employees in order to guarantee that users understand the dangers and best practises for using the ERP system. The risks and best practises they need to be aware of include maintaining good password hygiene, data classification, and recognising social engineering attempts.
• Auditing and monitoring: Both auditing and monitoring are essential for identifying security breaches in a timely manner so that appropriate action can be taken. The ERP system should be subjected to logging, auditing, and monitoring in real time as part of these precautions.
• Disaster recovery & business continuity: It is essential to have an incident response plan in place including planning for disaster recovery and maintaining business continuity. This ensures that the ERP system can be swiftly recovered following a security incident or outage and minimises the impact that this has on business operations.

It should also be noted that there are third party vendors, such as Onapsis & Safe O’Clock, providing security solutions specifically for some of the ERP platforms, although primarily aimed at SAP & Oracle. These solutions, as well as being able to help with some of the above best practice configuration items, also offer some of the following capabilities:

• Assess – Scan for vulnerabilities, unnecessary or dangerous services and misconfigurations.
• Detect & Respond – Ongoing threat monitoring generating alerts for unauthorized changes, anomalous user behaviour or cyberattacks. Integration with Incident Management & SIEM solutions.
• Compliance – Automated checks to ensure compliance with a variety of security and regulatory frameworks and controls.

Like most cybersecurity, there’s no magic here. Integrated cloud / on-premise deployments increase the complexity and indirect risk, but for the most part ERP security is achieved by consistently getting the security of the composite elements right. The biggest challenge for security managers is likely to be identifying what and where these components are, an exercise that will become increasingly more difficult as the complexity of the system increases.