It is a commonplace that new trends (name any - cloud, mobile, big data or Internet of Things) increase the attack surface. However, sometimes even widely-known technologies can be a security pitfall, if come into hackers’ focus. For enterprises, ERP systems – the backbone of all key business processes and data – can pose a hidden danger.
Just 7 years ago ERP Security was viewed as a segregation of duties only. It means that organizations worried about to prevent cases than an employee was solely responsible for one task (simply put, one person has privileges to create and approve a payment order). Much has changed since then – nowadays leading analysts mention ERP security as a topic to watch, critical vulnerabilities and even proven attacks on such systems hit the headlines on the regular basis.
Nonetheless, the recent ERP Cybersecurity survey 2017 conducted by Crowd Research Partners with the support of ERPScan revealed that there is a lot of work left to go in this field as organizations using ERP still lack both awareness and, as a result, particular actions taken towards its security.
For example, among people who are engaged in ERP security, one in three hasn’t heard about any SAP Security incident. Only worrisome 4% of them know about an episode which resulted in the company’s bankruptcy – USIS data breach where an SAP vulnerability was used as a starting point of the attack.
The lack of awareness lays behind the fact that enterprises are falling behind on securing ERP systems – almost one-third of respondents hasn’t taken any ERP Security initiative yet and is going to address this area this year. Another reason is that it is still unclear who is in charge of ERP Security and who will take responsibility if an ERP breach occurs: 43% of responders think CIO’s responsible, while 28% believes it CISO’s duty.
Nonetheless, 89% of respondents anticipate the number of cyberattacks against ERP systems to grow with 30% of security experts expecting a significant increase.
It comes as no surprise taking into account that such software stores and manage all the crown jewels of an enterprise which confidentiality, integrity, and availability businesses are concerned about. We speak about customer data (72% include them in a top concerns list), employee data (66%), and emails (54%). No need to say that this information can be a juicy target for hackers.
To make the matters even worse – the damage of cybercrime against SAP system is estimated $5m and the cost of fraudulent actions in particular can reach $10m.
The result of the survey are not surprising findings as the majority of enterprises are not prepared to address any cyberattacks as their attack surface is always expanding. There is no “one-fits-all” solution when it comes to cybersecurity – companies should prioritize the assets based on how they affect overall security posture and business in general. And, unfortunately, despite its significant role, ERP Systems often remain unnoticed in terms of security.