Recent threat research from digital risk management firm Digital Shadows and ERP cybersecurity and compliance firm Onapsis confirms that the ERP solutions powering some of the world’s largest organizations are under attack, and that the threat might be worse than most CIOs and CISOs think. The problem is so bad, in fact, that the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) has issued an official alert regarding these risks.
How Bad Is It?
Rick Holland, CISO and vice president of strategy at Digital Shadows, had this to say about the issue:
Threat actors are continually evolving their tactics and targets to profit at the expense of organisations. On the one hand, with the type of data that ERP platforms hold, this isn’t shocking. However, we were surprised to find just how real and severe the problem is.
Over the last three years, there has been a 100% increase in the number of publicly available exploits for SAP and Oracle ERP applications and a 160% increase in the activity and interest in ERP-specific vulnerabilities in just the period of time between 2016 and 2017. New research has shown that—thanks to misconfigured FTP and SMB—545 SAP config files were publicly exposed (and this is after CERT made us aware of a 5-year-old vulnerability in SAP in 2016).
What’s at Risk? (And from Whom?)
Attackers run the gamut from “hacktivists” and individual thieves to organized crime and nation-state affiliated actors, while the types of attack organizations are suffering from include DDOS (Distributed Denial of Service) and theft of important data and personal details. Organizations are relying on products like SAP Business Suite, SAP S/4Hana, and Oracle E-Business Suite/Financials to run vital parts of their operations (payroll, inventory management, financial planning, billing data, intellectual property, personally identifiable information, etc.), all of which is valuable to thieves.
What Can I Do About It?
The biggest thing to keep an eye on is your ERP’s network security. Many of the vulnerabilities pointed out by CERT were related to files open to anyone that knew how to access them, no high-tech hacking required. If your company’s directory structure or IP address isn’t secure, you’re just asking for trouble.
Like a “Check Engine” light, major security vulnerabilities in your organization’s ERP aren’t going to just go away on their own. (That would be nice, though.) No, to ensure that the heart of your company’s business operations stays in good working order, you should consider a security audit with a knowledgeable and unbiased third party who specializes in your specific system.
At Surety, we know a thing or two about the importance of security when it comes to ERPs. Whether you’re talking about JD Edwards, Infor Lawson, SAP, or other systems, your ERP is are vital to your business—it pays to keep it protected. Our senior-level consultants will be able to take a deep dive into your system, figure out where your organization’s vulnerabilities are, and figure out how to patch them. Let’s get started.