The ERP challenges that are keeping security teams up at night [Q&A]
Data is the lifeblood of modern business and enterprise resource planning (ERP) systems are where it's likely to live. ERP software integrates data and business functions across departments like finance, manufacturing, marketing, sales and more, and of course this makes it an attractive target for cyber criminals.
So what threats do ERP systems face and what can enterprises do to defend against them? We spoke to Kellie Synder, CCO of Onapsis, to find out.
BN: Why have ERP systems become such attractive targets for cybercriminals and how have these threats evolved since the 2018 warning from CISA?
KS: Well, ERP systems have really always been attractive targets for cybercriminals. They're the crown jewels of the organization. Why? ERPs serve as the business foundation for many large organizations, centralizing and managing critical business processes, sensitive data, and financial transactions. This makes them a one-stop-shop for cybercriminals seeking valuable information or the ability to disrupt an organization's operations. ERPs offer cybercriminals a treasure trove of lucrative personal and financial data, which can be sold on the dark web or used for identity theft, fraud, or extortion.
When I say they've always been attractive targets, the next question is 'well, what’s different now?' First and foremost, businesses are accelerating their plans to migrate their ERP systems to the cloud for scalability and convenience. This places these critical systems outside of the traditional defense-in-depth security layers, opening up new attack vectors, and fundamentally changing the attack surface calculus for organizations.
Since the 2018 warning from the Cybersecurity and Infrastructure Security Agency (CISA), we have seen an eruption of threats targeting ERP systems that are more sophisticated than in prior years. Cybercriminals have access to ERP programming languages and protocols via cloud tools and consequently have created more advanced exploits to target complex ERP systems. By pairing this with traditional tactics, techniques and procedures frequently used in the wild, such as spear-phishing, zero-day exploits, and supply chain attacks, these threat actors can piece together a pretty advanced attack campaign to gain access to critical systems to disrupt business operations or drop a malicious payload such as ransomware to hold an organization hostage.
BN: What are some of the most common ERP security challenges that organizations face when protecting their data?
KS: Like other software, ERP applications are susceptible to vulnerabilities and require continued maintenance to apply necessary patches. However, several challenges often hinder organizations in this regard, including intricate system architecture, when to schedule downtime for patching, numerous integrations, and a lack of ERP security knowledge to aid prioritization. Arguably, the sheer size and complexity of securing the ERP landscape for a Fortune 50 organization can be overwhelming. These critical ERP systems encompass a wide array of components, with complex business processes, workflows, and data warehousing -- all interconnected with numerous other IT applications both inside and outside the organization.
This inherent complexity obscures true visibility into these interconnected applications, making it challenging to ascertain which vulnerabilities should be addressed first and how to confirm that patching or compensating and mitigating controls have been applied effectively to reduce security risk. These combined challenges make it difficult for ERP customers to keep pace with security vulnerabilities and maintain overall secure configurations. Unfortunately, this means that numerous organizations aren't fully securing their ERP applications effectively, and we can see the inevitable end result from all the news stories about cyber incidents, breaches, and ransomware.
BN: What are the potential consequences of a successful cyberattack on an ERP system?
KS: A successful cyberattack on an ERP system can have devastating consequences for a company, both in terms of financial losses and damage to its reputation. Firstly, There are, of course, the direct costs associated with the attack, such as expenses related to the forensic investigations, system restoration and potential ransom payments in the case of ransomware attacks. Depending on the scope of the cyber incident, companies may also face regulatory fines and legal liabilities, especially if sensitive or personal data is compromised, as they must comply with data protection laws and, if a public company, the newly released SEC reporting regulations on cyber attack incidents and impacts.
The compounding indirect financial losses can be even more significant. ERP systems are central to business operations, and a disruption can lead to downtime, decreased productivity, and missed opportunities, resulting in revenue losses. Moreover, a compromised ERP system can lead to fraud or financial manipulation, which may go unnoticed for a considerable period, resulting in further financial losses. Additionally, speaking of regulatory bodies, the SEC released new rules this year regarding material incident reporting for companies that are publicly traded on US indices. The data’s pretty straightforward with how the market perceives these incidents; stock prices plummet, and a massive percentage of a company’s valuation can be wiped in the blink of an eye.
And then there’s the damage to a company's reputation which can be equally, if not more, damaging. Customers and partners may lose trust in the company's ability to safeguard sensitive data and deliver secure services. News of a breach spreads quickly, leading to negative media coverage and public scrutiny. A tarnished reputation can lead to a loss of customers, eroded brand value, and long-term damage to the company's competitive position.
BN: How has the landscape of ERP security evolved to address the growing threat from cybercriminals, and what steps should organizations take to stay ahead of these changing threats?
KS: We've seen a real shift in approach from CIOs and CISOs over the past few years.Organizations recognize that they can no longer depend as heavily on past defense-in-depth security investments to protect these critical applications. That last layer -- that business-critical application layer -- needs to be protected, and organizations are getting more proactive in their strategies to safeguard their ERP systems. First, there has been a heightened emphasis on user access controls and privilege management, limiting access to ERP systems to only those who require it and continuously revalidating that access.
Secondly, ERP security has become more threat-intelligence-driven, with organizations actively monitoring the application landscape itself for emerging threats and vulnerabilities. Regular patching and updates are essential to address known vulnerabilities, as cybercriminals often target unpatched systems, so companies are investing in security and code vulnerability technologies to comprehensively identify and address this risk. Additionally, organizations look for more continuous threat monitoring that can connect into their security operations and leveraging artificial intelligence to more easily identify and take action on anomalous behavior and potential security breaches in real-time.
Finally, beyond risk-driven technology strategies, organizations should prioritize comprehensive cybersecurity training for employees, ensuring they are aware of phishing tactics and other social engineering techniques commonly used by cybercriminals to gain access to ERP systems. Regular security audits and penetration testing should be conducted to identify vulnerabilities and robustness of existing solutions, and incident response and business continuity plans should be in place to minimize a breach's impact. Collaboration with ERP vendors and security experts is crucial to staying updated on the latest threats and best practices. A holistic and adaptive approach to ERP security, encompassing both the technological and human aspects of cybersecurity, is essential to effectively counter this constantly evolving ERP threat landscape.
Image credit: tommaso1979/depositphotos.com