TECH INTELLIGENCE: A back door for hackers?

Listen to this article

Enterprise resource planning — a type of software that many organizations use to manage supply chain operations, accounting, procurement and other recurring business activities — can offer a lot of advantages. When an online order is submitted, an ERP system can automatically check the price, initiate a credit check, ensure the product is in stock and notify the appropriate department that schedules delivery. Once the order is filled, the system can send an invoice and coordinate record-keeping and inventory replenishment.

That’s all very helpful, but there are many security threats to ERP systems. They are often not recognized by customers, vendors that build and integrate the processes, or cybersecurity services and other partners that implement these solutions.

Because ERP systems typically sit on a cloud server and behind a firewall, business clients tend to think that ERP systems are resistant to penetration. But as attacks against ERP systems grow, it is clear that an effective intrusion detection and protection system should start at the front lines.

A well-designed frontline defense that incorporates organizational planning and security best practices will result in a digital “fence” that cannot easily be scaled. Security solutions can be bundled with services to develop a comprehensive ERP security configuration.

The basic concept involves layering multiple security controls across vulnerable entry points. A good starting point will include complex passwords that are securely stored and periodically updated, paired with multifactor authentication. Encrypting sensitive data will add another layer of protection.

One often-overlooked component of layered defenses involves Application Program Interfaces, which act as the middleman between the software and a program that requests data. APIs can add tremendous value to ERP programs but are frequently developed as a “bolt-on” product by third parties and as such may represent a security weak spot. A qualified IT support services provider, however, can review API security and will research such security issues as:

• Consistency: Are the API endpoints predictable and well-documented?
• Reliability: How often do the API endpoints experience downtime?
• Speed: Does the API respond to requests quickly or slowly?
• Security Protocols: Who can access the API, and what safeguards are in place to ensure the outside program complies with the user’s terms and conditions?
• Vendor Response: Does the API vendor report outages and scheduled maintenance to users?
• Access: Can the source and destination access be limited to a small set of IP addresses or connections?

An experienced IT support services firm can also review a business contract with an API vendor, scrutinizing it to discover the level of responsibility the vendor takes for security and other issues. An experienced IT support provider may also have working relationships with API developers, increasing the odds that the provider can suggest a developer that matches the needs of a business client.

An effective defense system will also include an additional fence such as Security Information and Event Management platforms that can detect threats before they can disrupt a business. A cloud based SIEM platform can aggregate log data to highlight incidents, events, and anomalies while streamlining user processes, increasing efficiencies, and reducing operational costs.

Data is the lifeblood of modern businesses — and ERP systems are where the data lives. So, businesses that implement ERP security best practices are supporting the safety of their data and making things more difficult for cybercriminals, while reducing the chances that a company’s systems will be breached.

Carl Mazzanti is president of eMazzanti Technologies in Hoboken.