The 10 most common ERP security issues and ways to fix them
Today’s digital landscape is as vulnerable as ever. Especially with enterprise resource planning (ERP) systems, they are exposed like never before. Kevin Beaver, independent information security consultant at Principle Logic, LLC, shares an article on TechTarget highlighting the 10 most common ERP security issues and the immediate ways IT teams can take action and fix them.
- Unknown vulnerabilities. “The most common ERP security problem is IT and security staff not knowing what they don’t know. IT leaders must first gain a thorough knowledge of their company’s ERP security risks before taking any further action. Once they understand their organization’s unique threats, vulnerabilities and related gaps, they can take the proper steps to minimize exposure and limit the effects when a security incident does occur.”
- Missing software updates. “Workstations and servers that are part of the ERP system are often missing needed software updates. Lack of updates can lead to anything from ransomware infections to denial-of-service attacks to full remote unauthenticated access. IT teams must regularly update software and implement security patches, including a formal patch program, even though doing so might lead to critical systems experiencing system outages and downtime.”
- Weak ERP authentication. “At a minimum, ERP authentication should be as strong as internal domain account controls. This standard usually isn’t met if the system is simply using unique credentials. IT leaders must take action to strengthen logins where needed to avoid security problems, which can include unauthorized access and system downtime.”
- Web application-specific vulnerabilities. “Some web applications allow SQL injection and privilege escalation, and they possess business logic flaws that allow users to manipulate parts of the system, including aspects belonging to other parties in a multi-tenant setup. IT leaders must be aware of which applications include these potential problems and include all web-related components in ongoing vulnerability and penetration testing efforts.”
- Open network shares. “Certain ERP systems — usually older ones — require network users to have access to the ERP system folders. This practice is extremely unsafe and can lead to ransomware and unauthorized access for the casual user, or attacker, who is browsing the network. IT leaders should consider a software change if the company’s current ERP system mandates these permissions.”
- Lack of communication about security issues. “Employees must notify IT or other tech leaders immediately when an ERP security issue occurs. Employees might assume that IT and security staff are taking care of any issues, but IT and security staff may not even know about them.”
- Lack of incident response planning. “IT leaders must make a plan now to avoid scrambling during a crisis. Staff should practice incident response procedures through tabletop exercises and make ongoing updates as needed.”
- Lack of proper testing. “IT leaders can’t address ERP security issues if they don’t know about them. They must implement periodic and consistent vulnerability scans and penetration testing that go beyond IT control audits.”
- Unclear employee expectations. “A security committee should work alongside legal counsel and human resources to ensure employee computer usage rules are clear and that employees are well-trained on security issues, acting as part of the team rather than working against it.”
- Lack of ongoing education for technical staff. “Tech staff must stay up to date on the most common ERP security issues as those issues grow and change and must understand the latest security concepts and practices.”
Leave a Reply
Want to join the discussion?Feel free to contribute!