Key ERP security risks and what you can do about them

Enterprise resource planning systems are ubiquitous across myriad industries. Why? Business can compete in the modern marketplace without these essential platforms. For this very reason, an estimated 81 percent of organizations have implemented ERP systems or are in the process of doing so, according to research from Panorama Consulting Solutions. Of course, these solutions, like all software, are susceptible to intrusion. Even on-premises setups tucked away in server rooms are under attack from a growing group of hackers and cybercriminals. 

These outside actors orchestrated more than 42,000 digital strikes last year, infiltrating mission-critical applications to siphon off sensitive data or wreak havoc within internal networks, according to analysts for Verizon Wireless. An ERP platform is an ideal target for hackers, as it contains both company and customer data and drives the backend machinery that makes business possible. That is why more than 60 percent of information technology specialists rank these systems above accounting or human capital management software, ERP Scan and Information Security found. Unfortunately, few companies act as if this is the case where data security is concerned. Only 44 percent order IT to perform monthly ERP security checks, according to ERP Scan and Information Security. And, a startling 14 percent never search their ERP solutions for vulnerabilities.

This state of affairs poses serious problems for organizations, as cybercriminals gain strength and bring about new data security risks, IT Toolbox reported.

"Hackers have shifted their focus from individuals to enterprises," Alexander Polyakov, chief technology officer for ERP Scan, told the publication. "We can expect an increasing number of targeted attacks, including ones against ERP systems. There are a lot of resources on the Internet providing all the required information on the ERP's architectures for attackers to customize their techniques."

To truly bolster their digital defenses and properly protect their ERP platforms, firms must first understand the threat environment. 

The rise of ransomware
This attack vector has experienced a meteoric rise in recent years, according to Verizon. The wireless carrier found it to be the 22nd most-used category of malware in 2014. This past year, it climbed to the fifth spot. Why are hackers embracing this particular virus? Ransomware makes it easy to collect money from unsuspecting victims. In most cases, this kind of nefarious program is delivered via an email client, where a user accidentally access it. The malware locks the computer and displays a ransom message demanding payment in exchange for system access.

A vast majority of victims pay the requested amount. For instance, more than 70 percent of the enterprises that suffered malware attacks in 2016 ended up paying their attackers, according to research from IBM. Half of these companies paid more than $10,000, while 25 percent paid between $20,000 and $40,000.

Unfortunately, ransomware continues to grow in complexity. The early versions that appeared on the internet in 2005 simply locked mouse and keyboard functionality, Wired reported. Newer versions come equipped with automated encryption components that seal off file access using a unique security key only the hacker knows. This makes it nearly impossible to bypass the malware without paying the ransom. Of course, companies are probably wondering how the threat of ransomware affects ERP platforms.

Once in the company network, this malware stops all connected systems in their tracks – including ERP solutions, according to IT Toolbox. Businesses with mobile-ready ERPs are at an even greater risk of suffering from ransomware attacks, as corruptible email clients share the same space as end-point ERP portals.

Businesses must protect their ERP solutions from cyberattacks.Businesses must protect their ERP solutions from cyberattacks.

Insiders do damage
Verizon recorded more than 7,700 of instances of privileged user misuse last year, 81 percent of which involved employees. In most cases, these individuals sought insider secrets they could sell on the black market, while others, roughly 17 percent, were simply snooping around in internal networks. This is an immense problem, no matter the motivation of the perpetrators. Seemingly harmless system snoopers can create legal liabilities, while more nefarious internal actors can steal sensitive trade secrets or purloin company funds via payroll fraud. 

Sadly, most companies are not prepared to deal with insider threats. In fact, an estimated 49 percent do not have user role management workflows in place, meaning system access is granted with little consideration for how misuse might affect the organization, according to research from Raytheon Cyber. Additionally, of the businesses that do have these processes in place, more than one-third leave it up to business units to determine what level of access employees receive. Only a quarter assign this duty to the area of the enterprise equipped to handle it: the information technology department.

ERP systems are, of course, vulnerable to this threat, as disgruntled workers or those looking for financial gain can easily leverage their credentials to misuse such platforms.

The password conundrum
Despite the consistent, widespread focus on password security, these key security phrases continue to pose problems for enterprise software users and their employers. To put it simply, employees are not trying hard enough when it comes to drafting effective passwords, according to research from Splash Data. Earlier this year, the password management company evaluated more than 5 million stolen corporate credentials leaked for public use in 2016. The password "123456" accounted for 4 percent of the entries and a startling 10 percent of the users employed credentials appearing on Splash Data's Worst Password list, which includes anemic phrases such as "password," "qwerty" and "login."

The data also revealed another troubling password trend: simplified word variations. In addition to the passwords above, many users employed easy-to-guess variations like "1234567" and "passw0rd."

"Making minor modifications to an easily guessable password does not make it secure, and hackers will take advantage of these tendencies," Morgan Slain, CEO for Splash Data, explained in an interview with Dark Reading.

Cybercriminals have indeed exploited this and other credential-related user tendencies. In fact, 81 percent of hacking-related breaches that occurred last year involved stolen login credentials, according to Verizon. This security risk certainly applies to ERP platforms, as most employ password protected portals.

Addressing the risks
With these and many other data security threats in play, organizations must bolster their ERP security strategies and employ policies that actually work.

When it comes to tackling ransomware, employee education is the most effective tool, ERP Focus reported. System users must have the knowledge required to spot suspicious messages and other web-enabled content that could carry the malware. Additionally, IT teams should address malicious websites, which constitute the second most common entry point for malware. Apart from this extra training, organizations can implement anti-virus software and build out robust back up and business continuity strategies ready for use in the event that ransomware does find a way into the internal network and cause problems.

"When it comes to tackling ransomware, employee education is the most effective tool."

Addressing unauthorized system access necessitates internal restructuring. The IT department – and, ideally internal data security specialists – should have full control over the credentialing process, as this business division is best equipped to evaluate the potential for insider abuse. Most ERP platforms come equipped with role management features, meaning few technical changes will be required. However, adopting user behavior monitoring software is a wise choice, according to ERP Scan. These platforms can lend IT teams system-specific visibility and allow them to identify malicious behavior.

There are limitless solutions to the password problem. For instance, credential crafting methodologies such as Diceware give users the ability to create powerful passwords without wracking their brains for easy-to-memorize phrases, The Intercept Reported. Of course, the organization itself must get involved as well. Establishing basic data security training programs helps, as does official company policies designed to encourage sound password usage. ERP Focus suggested instituting mandatory, company-wide password-change policies.

These strategies can help companies with ERP platforms fight back against the hackers and cybercriminals taking aim at their online assets. However, those managing older legacy systems might consider trading in these platforms for newer, easier-to-protect alternatives. Is your organization in this unfortunate position? Connect with Accent Software. As a Microsoft businesses solutions partner, we offer the Dynamics NAV/ERP platform, which is backed by top-of-the-line security from Microsoft. Learn more about our offerings today.