Stop me if you’ve heard (or spoken) this phrase: “All non-essential projects have been put on hold.”
To be fair, pausing large-scale IT projects (like a cloud ERP migration) in such an uncertain and unpredictable environment makes sense. If the project will take months to implement and it isn’t helping keep the lights on, it isn’t essential. Simple as that! But what is considered “essential” is often a matter of opinion rather than true importance.
A perfect example is ERP data security. When COVID-19 hit, many organizations began scoping enterprise security solutions like a VPN, which enables remote access. But only in the sense of creating an authentication point – not actually securing data. We touched on this more in a previous blog.
Enabling remote access with a VPN helps keep the lights on, but now that the lights are on (and will hopefully stay on), at what point do you consider the vast amounts of data exposure that have emerged as a NEW risk vector? As a direct result of remote access. This is the point where data security becomes essential.
Overlooked but Essential
ERP data security too often gets thrown into the “non-essential” project pile, with companies considering it an afterthought, regardless of the economic climate. Afterthought might be too harsh – perhaps they consider what they already have in place as “good enough.” Essentially making the decision to go into completely unprecedented times with legacy technology. Such thinking will leave your data fully exposed to theft, fraud, and other forms of damage. Alas, if you don’t prepare for the future, then the future is likely to be your downfall. This is why we think NOW is the perfect time to make ERP data security a high-priority – dare we say essential – project. Here are five reasons why.
1: Your ERP Data is Already Exposed
Just because your virtual front door is locked doesn’t mean there’s nobody in your house. Besides the fact that user credentials (including VPN credentials) are routinely stolen – insider threats are one of the fastest-growing trends in data breaches, accounting for 34% of attacks in 2019, according to Verizon’s 2019 Data Breach Investigations Report. In addition, many insider breaches occur simply by insiders unintentionally misusing data. Without proper data security and monitoring protocols in place, it’s difficult to know if users are leveraging their privilege to access sensitive information for either legitimate or malicious purposes.
2: Remote Access and Data Security Should Be Synonymous
A remote workforce is nothing new, but not to the scale caused by the COVID-19 outbreak. The rapid scaling of remote access for critical business functions left many companies relying on conventional (but outdated) security technology, like a VPN. All the while, not considering that remote access means an expanded threat surface – and the wider your threat surface, the more exposed your data is to risk. A VPN may leave you feeling like you shrank your threat surface, but you haven’t truly shrunk your level of risk. Today, the most devastating data breaches happen when credentials are stolen and/or insiders leak/expose data. In a remote access environment, credential/insider risks go up dramatically while a VPN does little to mitigate.
When allowing remote access to your ERP data, you need to monitor a variety of data points, such as where is a user coming from? What data are they trying to access? What device are they using? Is that device being used by the right person? Cybercriminals know these systems are vulnerable and are stepping up attacks.
3: Data Security is Not as Costly as A Data Breach
According to IBM’s Cost of a Data Breach Report, the average cost of a data breach is $4 million. The average cost of a breach in the U.S. is $8.2 million – more than double the worldwide average.
The risks posed by a data breach extend well beyond financial. They are operational as well as compliance-related. Then there are the difficult to quantify costs, including negative exposure and scrutiny for your brand and senior leadership.
4: Compliance Stakes Have Never Been Higher
Compliance mandates like SOX, GDPR, CCPA, and others require organizations to maintain details regarding data access, and places a substantial liability when companies are not taking appropriate measures to secure ERP data. Fortunately, organizations can improve compliance by implementing data security tools that respond to insider threats, minimize direct damage caused by a breach, and reduce (or even void) penalties incurred by compromising customer data.
5: ERP Data Security is A Manageable Problem
An essential project doesn’t mean it’s complicated or burdensome. In fact, this is one of the more manageable problems to solve, as adding data security doesn’t involve much change management – unlike a cloud migration project. The key is to NOT customize the application(s) but to seek solutions that are configurable. Customizations are not a quick fix – they are not scalable and place additional complexity on support down the line. Configurable solutions to these challenges exist – trust us!
Data Protection Can Help Keep the Lights On
You could argue that an ERP data security project isn’t going to help keep the lights on; therefore, it isn’t essential. We would say that any project that helps mitigate business and security risks by enhancing your ability to authenticate users, control access to data, and monitor & respond to potential threats, is essential. And if that project can protect you from fines, theft, and fraud due to a data breach in this current work environment? That’s money you can use to keep the lights on.
Request a demonstration today to learn how Appsian can help you with your essential ERP data security project.
Representatives of the Open Web Application Security Project (OWASP) periodically release a top 10 list of known vulnerabilities that impact applications across a typical enterprise. Why is this so important? In today’s world, the common digital attack does not focus on network vulnerabilities because networks no longer represent the wall or moat that protects an organization. Today, the bad guys are focused on applications.
With the advent of mobile and the connected economy, identity is the new perimeter. And identities live in applications. So, that’s what the attackers are targeting. And Enterprise Resource Planning (ERP) applications represent juicy targets as they are typically the user store of record for most companies. Names, addresses, SSNs, bank account numbers and other sensitive data are usually found in an organization’s ERP infrastructure.
Let’s talk about a couple of the top vulnerabilities recently identified by OWASP, and how they specifically relate to an ERP application:
Authentication encompasses the controls in place to ascertain the identity of an entity logging into an application. It is commonly confused with ‘authorization’, but authorization represents the controls in place to determine what rights and permissions are in a system after being authenticated.
ERP systems, like all critical applications, rely heavily on controls around making sure that I am who I say I am when logging in.
Broken authentication is when those controls can be subverted. And it is pretty common due to the ineffective design and implementation of most identity and access controls. Session management is the backbone of most identity management solutions and is present in most all stateful applications. ‘Stateful’ just means that once I log in, I am able to traverse the application doing what I need to do without having to re-login every time I access a new page or component. The application ‘remembers’ me.
Attackers can use automated tools to detect broken authentication controls and essentially gain access to an application by utilizing session hijacking or stuffing credentials into a session via dictionary attacks.
Many ERP systems are what we consider to be legacy applications and were designed and implemented when session management was not a huge concern due to the insular nature of their deployments (accessible only inside the network, etc.). This leaves them very vulnerable to authentication attacks.
Sensitive Data Exposure
Legacy on-premise applications are notorious for not maintaining good data controls around the information they contain. The risk was typically viewed as minimal, because the only people that could access those applications were ‘trusted’ employees inside the network. ERP implementations typically fell into this category.
In my experience doing security assessments in years past, ERP systems were typically an asterisk in my final report as my customers were not willing to invest in the time or expertise needed to fully vet their security controls. The common rationale? It’s an inside application that is only accessible by a few individuals in Finance and HR.
In today’s world, many of those legacy applications, including ERP, have evolved into web applications that allow access from the internet. And, in many cases, that evolution has not been well-planned or architected. Patchwork code and sloppy implementations rushed to market to meet a need to become part of the connected world have led to a whole new attack space for bad actors.
What’s exposed? Attackers have discovered that many organization’s keys-to-the-kingdom are data stores, including ERP systems, which are not well protected and are now exposed to the world wide web as a highway in. Whether it be financial data, personal information or private health data, attackers have new targets to go after.
Most of these applications are unable to implement the granular controls needed to control and monitor access to sensitive information. Companies have to start looking beyond the built-in security capabilities of these applications. Capabilities that weren’t typically designed or implemented to deal with today’s connected world.
What Can Companies Do?
It’s time to take a different view of application security. Applications no longer exist behind network perimeters, managed by firewalls and other network-level protections. In today’s digital economy, companies are rushing to be able to exchange data with prospects, customers, employees and partners – regardless of how they’re accessing the application (mobile phone, tablet or desktop), and from where they are trying to access it (inside/outside the network, etc).
Learn how Appsian can help protect against the risks associated with Broken Authentication, Sensitive Data Exposure and many of the other top application vulnerabilities identified by OWASP.