Data is the lifeblood of modern business — and enterprise resource planning (ERP) systems are where the data lives. ERP software integrates data and business functions across departments like finance, manufacturing, marketing, sales and more, presenting a juicy target for cyber criminals. And make no mistake: Cyber attackers show no signs of slowing down since a 2018 warning from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) that they were making legacy ERP systems their top target(opens in new tab).
In 2021 the average number of overall cyberattacks per company increased 31% year over year, according to an annual cybersecurity report by Accenture. In addition, 81% of nearly 4,750 CISOs who were surveyed by the global consultancy indicated they were in a “constant battle” to stay ahead of cybercriminals and that the cost was “unsustainable”.
So, if you’re managing an ERP system or planning to deploy one, understanding the most common ERP security challenges — and the best practices you need to defeat them — should be among your top priorities.
On-Premises vs. Cloud ERP Security
First, it’s important to know that ERP’s migration from on-premises systems to the cloud leads to changes in the key ERP security challenges and their solutions. It’s not so much that one ERP security challenge disappears and another emerges — though there is some of that. It’s more that the differences between on-premises and cloud ERP deployments cause shifts in emphasis.
Plus, when you go to the cloud, security best practices need to be distributed between the cloud provider and the business, with each taking on specific responsibilities. While this adds administrative complexity, it’s largely a good thing because few businesses have the resources or IT capabilities to deliver the high level of security, at scale, that cloud services provide. This typically includes high levels of physical security for their data centers, continuity/backup best practices and redundancy to protect against ransomware attacks, encrypting data in transit and at rest, machine learning algorithms that can detect inbound threats, and identity access management that includes multifactor authentication (MFA).
ERP Security Challenges
Cybercriminals exploit technology vulnerabilities, human vulnerabilities, or both. But the biggest breaches typically start with human error. Experts often cite an unwitting or, more rarely, malicious employee as the root cause in many headline-grabbing cybersecurity attacks.
Consequently, this list of top ERP security challenges references key security controls and business processes designed to prevent human errors that can lead to an ERP security breach:
Poor governance: In many organizations, security and data access and retention policies aren’t well-documented and, worse, aren’t fully enforced.
Access management: Technically a subset of poor governance, but probably the biggest cybersecurity challenge of all — ERP and otherwise — access management is deserving of its own bullet.
Exposure: Organizations feel that deploying cloud-based ERP is inherently less secure. This is due to the incorrect perception that one has more security control with on-premises deployment rather than a cloud deployment.
Shared responsibility: Distributing cybersecurity roles and responsibilities across your business and your cloud ERP provider adds a whole new dimension to security strategy and governance. For example, the ERP vendor generally implements cloud security controls for its infrastructure and applications, while its customers must implement controls for any data that flows in and out of the ERP system and for the employees who use it.
Fast-changing threat environment: Attackers are continuously evolving, but most organizations have static defenses.
Customization: When you extend your provider’s core ERP capabilities, regardless of where it resides, you inevitably introduce new vulnerabilities.
Frequent software updates: While wonderful for the quality and usability of modern technology, frequent software releases can cause cybersecurity challenges in on-premises ERP systems because it’s hard to keep up to date — which leaves your ERP vulnerable to attack.
Continuously advancing attack vectors: Malicious actors are constantly leveraging new angles of attack. They are evolving their strategy and game plan to stay one step ahead. Once an attack surface becomes well known, they switch to a new vector. Software vendors need to constantly adapt and evolve to keep up.
Best Practices to Beat ERP Security Challenges
Sound governance, including a comprehensive ERP security strategy informed by business-risk-based analysis, is an umbrella best practice. Tech managers in many small and midsize businesses think “governance” is a hairy and complex beast that applies only to large enterprises. But the core of it is simple, and it applies to companies of all sizes: It means you really know precisely how your technology supports your business objectives, you write clear policies that document how to get the best business boost from your technology, and you actually enforce those policies.
Consider each of the following ERP security best practices as elements of a well-documented, well-governed ERP security plan. Taken together, these practices address all eight ERP security challenges — but they don’t map to those challenges on a one-to-one basis. Instead, most address different elements of two or more challenges.
- Document your ERP strategy: Only with a comprehensive, well-documented ERP security strategy can you address all eight ERP security challenges. This practice directly addresses the “poor governance” challenge (No. 1) and should include clear definitions for how roles and responsibilities are shared between you and your cloud ERP provider (No. 4). For example, cloud providers’ distributed nature makes them good at defending against denial-of-service attacks, but you’ll need to watch for vulnerabilities introduced by your customizations.
- Know your ERP’s features and limitations: ERP is a complex software application. Being able to leverage the ERP’s built-in features to protect your organization and data against malicious vectors is critical. For example, if your ERP has MFA or IP address whitelisting capabilities, it’s important to leverage them and add an additional layer of protection. More often than not, administrators realize too late that had they known the existence of a certain capability, they wouldn’t have been breached.
- Third-party audits: Periodically reviewing your ERP vendor’s security posture and risk mitigation controls is a best practice. This will also indicate how much the vendor is willing to invest in the security and protection of your data.
- Restriction/administration: Whether your ERP is on-premises or in the cloud, you need to carefully control access to sensitive data. Effective governance should tell you what information is most valuable to the business (and therefore the most at risk) and who should have access to it. Role-based access with granular permission controls is essential for implementing Principle of Least Authority (POLA) when granting ERP access to your employees. In other words, employees should have access to only the information and functions they need for their jobs. The rest should be out of reach. Review employees’ access privileges each time they move to a new job within the organization. Consider allowing remote access to on-premises ERP only through a virtual private network (VPN) — which is simply an encrypted tunnel through the internet. Together with the next practice, these all address ERP security challenge Nos. 2 and 3, “access management” and “exposure”.
- Passwords: Employees sometimes push hard against good password hygiene. Push back harder — it’s a core best practice. Further, a single password is not enough to protect your company’s most sensitive information — MFA should be mandatory. In addition to access management, good password hygiene and MFA help limit your “exposure” — No. 3.
- Software updates: If you have on-premises ERP, tackle challenge No. 7 head-on by installing updates immediately. Delaying those upgrades will leave you open to attack. This also helps address the exposure challenge. If you use cloud ERP, you may not have to worry about this because your provider may update your software automatically.
- Integrations: Ensure that latest encryption technologies are being leveraged to secure the transmission of data between your ERP system and any applications you integrate with it, or any customizations (No. 6) that extend its capability. This practice links to several challenges: It limits your exposure by plugging holes attackers might use to gain entry (No. 3), it protects your customizations (No. 6), and it helps ensure security when you connect new technology to your ERP (No. 8).
- Monitor threat intelligence: Constant vigilance is required to keep your ERP secure against challenge No. 5. Make someone responsible for staying current with the constantly evolving threat landscape, if possible, using “threat intel” from the major cybersecurity firms. Shared threat intelligence is considered a best practice. Some of the top shared threat intelligence platforms include Palo Alto Networks’ Cortex, Mandiant, and LogRhythm.
- Cybersecurity awareness training: Cybersecurity training for all employees can pay off. The reason is simple: Human error is the top cyber vulnerability and well-trained humans make fewer errors. With the advent of phishing attacks and malware distribution, all users of your ERP need to be vigilant.
How NetSuite Secures ERP
NetSuite ERP has run in the cloud since its inception in 1998, and the company takes application and operational security seriously, creating multiple layers of protection for your business. This includes encryption and role-based access controls, multi-factor authentication and token-based authentication for applications. NetSuite employs constant monitoring and is staffed by a dedicated, expert security team. NetSuite security also includes the company’s uncompromising stance and best practices around governance, risk and compliance. NetSuite is externally audited to SOC 1 Type 2 and SOC 2 Type 2 (SSAE18 and ISAE 3402) standards while maintaining ISO 27001 and 27018, PCI DSS and PA-DSS compliance.
Nothing in life is guaranteed, but using these ERP security best practices will make life harder for cybercriminals and reduce the chances they’ll breach your system.