Cybercriminals know that ERP is the heart of business. The security of the company’s information depends on how well protected access to the weakest of the devices that make up the network is.
Many companies and organizations use specific software to manage their business processes. These tools are known as Enterprise Resource Planning or more commonly by its acronym ERP. This type of applications can manage a large number of critical processes for organizations such as: management with suppliers, the life cycle of a project or operations carried out by the HR Department or the Finance Department, as this software can be used for many purposes. Cybercriminals know this and that’s why they’re targeting these tools. The security of business information is key so that they do not block access to ERP data.
Security Patches, Updates and Bad Configurations
There are several factors why ERPs are not usually updated to the latest version, compromising information security. The complexity of the tool itself, the number of instances to update, the fear of an error in the update and that the service will stop working or simply, for lack of security culture and the belief that if something works well it is better to leave it as it is, are among the main reasons.
According to published reports, information security is a concern for many companies. Since 2010 the number of vulnerabilities discovered in the two most widely used ERPs worldwide has steadily increased. This coupled with the fact that the number of exploits or public malicious codes has increased, makes them a “very juicy” target for cybercriminals.
Research by Digital Shadows and Onapsis reveals evidence that business-critical applications run by the world’s largest organizations are under attack.
The report shows an increase in cyber attacks on widely used ERP applications such as SAP and Oracle, which currently have a combined total of 9,000 known ERP security vulnerabilities, and also highlights an increase in attacks on these systems by cybercriminals.
Attacks on ERP applications include weakening and distributed denial of service (DDoS) aimed at disrupting business operations: a convergence of threats, according to the report, which puts thousands of organizations and their crown jewels directly at risk of espionage, sabotage, and financial fraud.
Malware kits known as Dridex are being developed to steal user credentials and ERP application data behind the firewall. Third parties and employees are exposing information that can provide high value to sophisticated players, the report warns.
Another common problem that compromises information security is allowing access to the application from the Internet without the necessary retries. This in itself is not a bad practice, but if we consider that many tools do not have the latest updates or that allow secure connection via VPN, makes them a threat to organizations.
Cybercriminals have taken advantage, and continue to take advantage, of vulnerabilities, the lack of ERP configuration and the lack of information security for various purposes.
Theft of confidential information
Many organizations use this type of software to manage their projects and host confidential information. In the event of unauthorized access, the low security of the information would allow cybercriminals to have access to this information, being able to sell it to competitors or use it as a means of extortion.
Bank data theft
Account or card numbers are stored and managed by the ERP, so their theft can lead to economic losses for the company or its customers, increasing the damage caused by the lack of information security.
Theft of personal data
It is common that the HR department of an organization has stored in this type of applications, personal data such as names and surnames, contact information or addresses, etc.. Everything is stored and managed from the ERPs, so the lack of security of the information will give fraudulent access that can allow its filtration with the consequent loss of reputation and even legal implications according to the data protection regulations of each country.
Denials of service
Practices that affect the services offered by companies, which can have an enormous reputational impact if they are not well managed.
Cyber-criminals can take advantage of the computing power of the computers that host this type of software to use them to their advantage by mining crypto currencies. In addition to increasing energy consumption and causing deterioration of the device can make the system slower, even making it inoperative.
Infecting devices with Trojans, keyloggers or even ransomware is another widespread practice that can endanger the continuity of an organization by not taking precautions related to information security.
Best Practices and Protective Measures
- In order to prevent the ERP from becoming a victim of cyber-criminals, one of the main points to follow is to implement an update policy whereby the software can be updated as many times as necessary to apply the security patches launched by the developer with performance guarantees, since one of the main reasons why updates are not applied is for fear that they will have a negative impact without taking into account information security. As with any system or service in production, you must have a development and/or pre-production environment to perform the updates and check whether they affect the normal operation of the application, avoiding behaviors that may impair the functionality of the ERP in the production environment and reinforcing information security.
- Another important point to consider in this type of tools is whether to enable access from the Internet. Whenever possible, their access will be limited unless it is essential for the operation of the company. In the event that connections have to be made from external networks, they must always be made through a VPN that will mitigate possible information leaks and unauthorized access.
- Avoid using default or weak passwords, as complex security measures are often implemented, but using insecure passwords greatly reduces the level of security.
- Review users’ privileges and grant only those that are necessary to perform the job.
- Monitor and record the ERP so that in case of anomalous activity or security incident the cause can be identified as soon as possible.
An ERP is a great alternative with which we significantly increase the efficiency in the management of a company, but we can also put it at risk if the necessary security measures are not applied.