This July, the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) issued an alert that hackers would be increasing focus on Enterprise Resource Planning (ERP) systems. This warning is based on a report released by cybersecurity firms Digital Shadows and Onapsis which detailed research into the rate of attacks and communications of planned future attacks against ERP applications. The report also included evidence that “hacktivist” groups and nation-state cyber attackers were likely involved in these past breach attempts and would continue to pursue ERP systems as viable targets.
ERP software solutions that are not up-to-date or misconfigured are most vulnerable and are being targeted. Legacy ERP systems present several risks to organizations who continue to rely on them, including network security gaps resulting from outdated and unpatched software. Even legacy ERP systems that have been upgraded to integrate with new technology solutions can be exposed to threats. In fact, the report indicates that many outdated software solutions that have been improperly configured for cloud connectivity pose an even greater danger.
Here are the key points from the DHS’ warning to consider if you employ a legacy ERP system:
Legacy ERP Systems
The latest warning from the NCCIC included a reference to a prior warning the DHS had released concerning existing an existing vulnerability in SAP legacy ERP systems in 2016. Though this particular gap had already been patched in 2010, a previous report by Onapsis had found that it was still leaving areas of these legacy ERP systems exposed. The exposure would allow an attacker to remotely access this and all connected systems, giving complete control of the data and processes managed by the software.
The complexity and critical importance of ERP software unfortunately means that changes to the system can lead to operational disruptions depending on how it is implemented and deployed. Some administrators will choose to segment or delay updates to prevent downtime and process shutdown. Aging legacy ERP systems will already be falling behind on crucial patches, so this additional suspension of updates put ERP security at great risk. As the DHS warning demonstrates, these gaps may exist for years without providing any indication of their existence and delaying security software patches will only extend the danger.
Connectivity
Modern ERP systems are increasingly brought into the cloud by publishers to take advantage of the inherent benefits this technology provides. Cloud ERP software provides additional options for application and improvements in communication and data exchange. However, the permeability of cloud software which enables instant interaction also brings potential concerns for ERP security. Although cloud ERP systems still bring the same pitfalls as other networked technology, employing modern security solutions and not relying on traditional measures will ensure that you will not face the same dangers as you would with a legacy ERP system.
Proper ERP security measures will help safeguard cloud solution touchpoints that can be exploited by hackers but require effective best practices. This includes securing all Internet-facing devices that interact with the systems, such as personal desktops and mobile platforms. Smartphones and tablets provide an exploitable attack vector for hackers if they gain access to the device through a malware infection or physical interaction.
However, modern cloud ERP systems also provide the opportunity to remain constantly up-to-date with the latest security software. As long as connection to the hosted network is maintained, security patches will be downloaded as soon as they are released and installed at your discretion. Combined with this and proactive managed network services as well as enforced cybersecurity best practices, modern cloud ERP systems deliver a safer experience than traditional legacy ERP systems that are improperly for Internet-facing functionality.
Data
The primary concern in any network breach is how much data will attackers gain access to afterwards. ERP systems are designed to process, store, and manage critical operational data for an entire organization and a breach of an enterprise-level software solution will put all of this information at risk. Any hacker that finds a way past the external security settings of an ERP system has free reign to records and functions managed by the software.
There is an additional danger emerging for modern businesses within the finance and professional services industries, and which will likely affect virtually every organization with a digital presence in the future. Existing data protection regulations have been strengthened in response to repeated network breaches in recent years that place greater emphasis on safeguarding personal information and impose strict penalties on not doing so. The most comprehensive of these is the European Union’s General Data Protection Regulation (GDPR), yet there are emerging federal and state-level regulatory initiatives as well as trade organization best practices guidelines that are reflective of the GDPR’s requirements.
Cyber Attackers
The reason this latest threat to ERP software is being taken so seriously is the level of sophistication of the potential cyber attackers involved. Businesses using outdated legacy ERP systems will have to contend with both a larger volume of inexperienced cybercriminals utilizing resources traded on the Dark Web and other illicit forums, and veteran hackers seeking an easier target to exploit. Unsecured legacy ERP systems provide external operators with the ability to siphon data that would otherwise take greater effort to access.
Hacktivist collectives and nation-state cyber attackers also pose a danger as ERP systems provide the key to disrupting organizations and industries they are opposed to. Government-backed hackers have previously used private firms as vectors for stealing data from federal employees and experts predict that commercial businesses will increasingly become legitimate targets in escalating cyberwarfare campaigns. Manufacturers are particularly vulnerable targets as they have been found lacking in cybersecurity best practices and offer cyber attackers employed by foreign powers multiple opportunities to pursue their objectives.
ERP Security Requires Staying Up-to-Date on Your Software
Misconfigured or outdated legacy ERP systems create a serious gap in your network security. Legacy ERP software is not designed to face problems that are emerging in the present and the future, and thus will generate loopholes that will be exploited by determined attackers. To protect your critical data – including personal client information – you must upgrade to a modern ERP system.
Read more here to determine if now is the right time to upgrade your legacy ERP system.
Want to know more?