How can you prevent common cyberattacks on ERP systems?

It is common practice to implement support packages or upgrades implementing te last one minus one (n-1) so functional improvements are a bit more mature. But in terms of security, it is always recommended to implement always the latest patch in your ERP system. This in addition to have updated ERP’s satellite systems and appliances security measures implemented and updated.

Attacks on business critical applications such as ERP, can seriously cripple the ability of a business to operate. From my experience, there are lots of businesses that would like to "spare money" on such things like software updates and upgrades, in case they are performed by vendors or external parties. In essence, the practice of keeping a secure environment amongst a myriad of other activities, includes keeping up to date with vendors guides and directions for software lifecycle management.

One major solution to prevent common cyberattacks on ERP systems is to keep your software updated as recommended by your ERP vendor. If your implementation is more chocolate than vanilla, you must assess and ensure that the ERP software customizations do not make future software updates too complex or time-consuming.

I would like to underscore the paramount importance of the partner you choose to accompany you during the ERP implementation process. While critical aspects such as software updates, proper configurations, and password management have been rightly highlighted, we must not underestimate the pivotal role your partner plays in this journey. Selecting a robust ERP implementation partner is a strategic decision that goes beyond mere software installation. This partner serves as your guiding force in tailoring the ERP to your organization's specific needs. Their ability to deeply comprehend your business processes, customize the system, and provide ongoing support is indispensable for long-term success.

As a matter of best practice regular external penetration tests should be done by independent parties. Vulnerabilities should be prioritized and addressed. In addition to that, consider: 1. Links to external partners should be initiated from YOUR side. 2. Educate your programmers as to best practice to avoid code vulnerabilities 3. Put a quality control process in place prior to releasing code changes into production. 4. Control what software users have access to on their local computers 5. Educate the user community as to how to spot and avoid external scams. 6. Use “fake” scams and track user access. Retrain. 7. Keep fresh back ups of all systems 8. Stay current on all patches (minus 1). 9. Use STRONG passwords and MFA 10. Pray!

Consider deploying a zero trust framework, user profiles should be developed in terms of what access they need to what transactions to perform key parts of their role, during scoping and awareness sessions with experienced consultants. Access can be given in an open ended manner, but for example, should a sales administrator have access to sensitive supplier data. Unintended changes can happen too, if there are inappropriate controls and a lack of governance to master records, customer, vendor, pricing. Financial information including banking details can be manipulated by malicious end users to redirect payments for instance. Periodic review of who is doing what role, with HR records ahould occur as staff may leave or change roles.

To prevent common cyberattacks on ERP systems: 1. Regular Updates: Keep ERP software and systems up-to-date with security patches. 2. ERP Security Features: Utilize built-in security features and configurations. 3. Access Control: Implement strong user authentication and restrict access based on roles. 4. Employee Training: Educate employees to recognize and avoid social engineering attacks. 5. Security Training: Provide cybersecurity training for staff. 6. Data Encryption: Encrypt data transmission using secure protocols. 7. Monitoring: Implement continuous monitoring and anomaly detection. 8. Segregation of Duties: Enforce policies to separate transaction creation and approval.

Configuring ERP systеm sеttings mеticulously is pivotal in avеrting cybеrattacks. Follow thеsе stеps: 1. Adhеrе to bеst practicеs and guidеlinеs providеd by your ERP vеndor and sеcurity еxpеrts. 2. Tailor sеttings to align with your businеss nееds and stringеnt sеcurity rеquirеmеnts. 3. Scrutinizе and optimizе usеr rolеs, pеrmissions, and authеntication protocols. 4. Implеmеnt robust nеtwork accеss controls and firеwall configurations. 5. Enforcе еncryption for data protеction and еstablish comprеhеnsivе logging, auditing, and backup mеchanisms. By diligеntly configuring thеsе sеttings, you fortify your ERP systеm against vulnеrabilitiеs and potеntial cybеr thrеats, еnsuring its intеgrity and sеcurity.

Few things to consider as below: - Develop a structured patch management process to promptly apply security updates. - Be cautious when integrating third-party applications with your ERP system, as they can introduce vulnerabilities. - Continuously monitor system logs for unusual activities and set up alerts for potential security incidents. - Isolate your ERP system from the public internet, use firewalls, and employ intrusion detection and prevention systems.

According to IDC and Stackoverflow, 33% of organizations worldwide have experienced a ransomware attack or breach 4 Millions global positions that cannot be filled due to the cybersecurity talent shortage 82% of data breaches involved the “human element”

Introduce strict policies from a HR perspective to prohibit password sharing amongst staff. Encourage password complexity and expiration roles that are suitable for your operation and staff. If customer service or purchasing staff for instance use the ERP daily, it is reasonable to set a policy of 45 days for password validity. Disable accounts after 90 days w/o login. Popular ERPs such as Microsoft D365 and SAP are now introducing both SSO and MFA (Single sign on and Multifactor Authentication) apps like MS authenticator have biometric capability. This reduces administrative complexity for IT departments and helps users with ease of legitimate access whilst preventing abuses purely based off leaked passwords or lost hardware.

Good suggestions for manual logins. The security will be further strengthened if Single Sign-On will be used with Multi Factor Authentication

One of the things I have found helpful is a system-wide automatic password reset and prompting users to change their passwords periodically. Also, creating rules for acceptable passwords.

With so many systems /devices now in use by an employee in a company, in addition to ERP, implementation of Single Sign On will greatly help in having strong passwords. The end user needs only one password for the ERP and other major systems, hence would easily remember a complex password. Also, with Multi Factor Authentication, one can prevent misuse of access particularly in case of senior executives and their secretarial staff. Password security needs to be part of HR policy, for full compliance by all.

Consider the use of antimalware services on your email platform such as SpamTitan. Highlight an example of a phishing email, and have a formal way of reporting suspicious items, and have a false negative one to see if users are caught out. For administrative roles or field roles with a delegation of authority of spend, access to sensitive customer or vendor information Ensure that ERP access is part of their induction plan, and removing or change access when offboarding if they leave or move roles. Key processes may be mapped internally and access should be places to those suitable responsible and trained in the system. Enhancements to transmission of invoices including email encryption, supplier gateways can reduce some phishing.

How can I help improve security? Heading straight to the point, below a few rules that every SYSADMIN, Team Leader or Security Consultant mustm start using in any environment handled or supporte by them: Only Connect With Secure Wi-Fi Networks External Connectivity: Site-to-Site VPN and Fast Connect BYOD Policy Private Docker Image Repository (OCIR, Docker Hub, etc) Policy rules to restrict who can push or pull WAF IAM Multiple Layers of authentication.

Usually having a monitoring system is an expense people try to avoid but this is a case when we usually regret when we have to troubleshout a serious issue or a problem. Having trustable logs, dashboards and monitoring services can be very helpfull to unsure the continuity of your business.

Firewalling and open only needed ports to the ERP system. Could also implement Access control to only users / interface systems needed to the ERP.

Periodically clean your ERP data. Expire user accounts which have not been used for x days Expire customer accounts not used in x financial years Expire vendor accounts not used in z months. Ensure that audit and change logs on sensitive information such as employees, vendors and pricing has custodianship with the appropriate business leader or head of department. Review access logs to transactions by functional area for outliers. Encourage blind audits on to the process, see if a new customer service person, has access to vendor records and audit from a negative gearing perspective. Consider reporting systems as part of any necessary audits that may be linked to the ERP but don't require the same access requirements.

Most of the time when we talk about cyber security , we just think about software and hardware. However, the most important aspect about security is the type of people that we have in our organization. I started my journey as an instructor (professor) teaching ethical hacking, and I always found companies buying fancy systems that make people work more difficult; hence, people start sharing passwords or not checking security in the right way. My best advice is "know your people", and "train your people".

Elevate your ERP security with quirky twists: 1. Funky File Names: Give files zany aliases to befuddle hackers and safeguard your data's identity. 2. Password Shenanigans: Swap login fields or use emoji-based passwords – playful yet surprisingly secure. 3. Puzzling Error Messages: Craft error messages as riddles, granting access only to the sharpest minds. 4. Dance to Authenticate: Introduce dance-based biometrics – hackers can't mimic your moves. 5. Haiku Passwords: Transform passwords into poetic haikus, adding an artsy layer to your defences. Unconventional? Yes. Effective? Absolutely!

Besides regular IT controls in daily operation, Perform a Penetration Testing Annually for the application, which could be helpful to investigate the vulnerabilities systematically. Bring back to life, DO YOU NEED AN ANNUAL CHECK UP in hospital.