Seven steps to help protect your ERP system against cyberattacks
What would happen if your enterprise resource planning (ERP) system were attacked? For many companies, the consequences would be devastating. ERP systems not only contain the crown jewels of the business—customer data, stock levels, order entries, production plans, and contract data—they also manage such essential financial processes as order to cash (OTC), and operational processes such as production planning and steering and cash collection and payments. An ERP system is literally the operating system for the company, without which the company simply could not function.
While cyberattacks continue to be top of mind for executives, many may not fully appreciate how vulnerable their ERP systems are to such attacks. This could become a significant problem as evidence mounts of increasing threats targeting ERP systems.
Supply-chain attacks rose by 42 percent in the United States in the first quarter of 2021, impacting up to seven million people.1 And security threats against industrial control systems (ICS) and operational technology (OT) more than tripled in 2020.2 Hackers are becoming more systemic and discerning in their attacks, shifting from distributed denial-of-service (DDoS) attacks and encryption of databases toward disruption of productive systems, and the threat landscape will likely shift further. The German government published an annual report recently highlighting how the cyberthreat is shifting pronouncedly from the theft of data to the disruption of systems.3 The US Department of Homeland Security has issued multiple warnings against cyberattacks targeting ERP systems.4
With these signs of increased threat levels, ERP businesses have invested in hardening and protecting their systems. But companies may still be vulnerable because of lack of focus, lack of sufficient resourcing, or lack of understanding about how best to address cyber issues. Some companies, for example, have put their main focus on ERP upgrades and cloud migrations, leaving fewer resources available to focus on cyber. Meanwhile, ERP skills are scarce resources and can usually not be replaced by general skills available in the IT organization. We have seen many companies reduce investments in maintaining existing ERP systems, including cyber protections, in preparation for their migration.
For companies upgrading their ERP systems, this could be time to review policies and potentially upgrade security postures to counter cyberattacks.
Protecting ERP systems from cyberattacks has unique challenges
In our experience, one reason companies have not secured their ERP systems as thoroughly as they should is that the sheer size and complexity of the task is overwhelming. ERP systems consist of a wide array of elements, including process and workflow, master data and data warehouse, an underlying computational infrastructure, a large storage network—and dozens if not hundreds of interfaces and integration points with other IT applications inside and outside of the organization.
Exacerbating this complexity is that companies often do not have global transparency into what’s actually happening in their ERP systems, from what data is passing through to what interfaces there are with various other systems to what transactions are happening.
Furthermore, ERP systems have interconnections between internal applications and external data sources and systems, such as a supplier’s supply-chain or logistics system. It may be difficult to understand the various dependencies, which means that protecting any single part of the system may not help, because each interconnection may be a vulnerability.
This interdependency issue is further compounded because the ERP group is often separate from the rest of the company’s applications and infrastructure teams. We often see it split between an operating team within IT and a process-design and process-maintenance team within a business unit, most often finance. This hybrid virtual team is often run like a silo within each organization, which creates yet more interfaces between the security team and the ERP team.
For these reasons, we find that many tech leaders are unclear about where to start and consider the target state dauntingly distant.
This article originally appeared on mckinsey.com, to read the full article, click here.