The ERP software often constituting a central and essential node of the computer system, ERP and security must be subjects whose impact must be fully measured. Cyberattacks are making headlines in print and digital. Logical, since all the studies indicate that attempts at computer intrusion or hacking are multiplying, taking multiple paths and appearances.
Should we deduce that hackers and pirates of all kinds are more numerous from year to year? Possible, because the “digital native” generations have also brought their share of little “geniuses” eager to do battle with their malevolent counterparts and demonstrate their “abilities” (sic).
But it must also be seen as a statistical consequence of the digitization of the company and of society in general. Where there used to be only a few secure terminals or servers, somehow, within a company, today there are a multitude of smartphones, laptops, tablets, and various connected objects. They constitute so many entry points and multiply the potential risks.
ERP And Security, First A Human Problem
We can never repeat it enough: the main flaw in a computer system, a vector of malicious intrusions, is statistically not constituted by the infrastructure nor by the software, but rather by human negligence.
Or rather, if hackers manage to infiltrate computer systems, and endanger the activity or even the survival of certain companies, they often owe it to bad practices , non-compliance with certain security rules, behavior that is inappropriate or even prohibited.
Studies estimate that 80% of attacks occur as a result of “error” or human negligence. The Pentagon believes that “. if updates are important, minimizing human error is even more so. It is these errors made by network administrators and users (inability to correct vulnerabilities in old systems, incorrect configuration of parameters, non-compliance with standard procedures) that open the door to the vast majority of successful attacks.
If this advice is reduced to the scale of the ERP, it will therefore be necessary to endeavor during its implementation, and throughout its activity, to put in place simple but strict rules in terms of ERP and security, and to ensure that everyone observes them. This may seem relatively accessible, but as we pointed out in the preamble, the difficulty does not come from the ERP solution itself, nor from the infrastructure that hosts it (even if it is in the Cloud). The heart of the problem lies in the multiple gateways that consultation terminals, such as tablets, smartphones or laptops, can constitute.
And even more, by the fact that it will not necessarily be in the face of “real” attacks involving extensive coding knowledge. The current trend in cyber-delinquency sees rather the development of ransomware and phishing.
It is therefore enough for a smartphone type terminal to be infected by malware for, for example, a hacker to be able to learn the codes and the procedure for accessing your ERP, using the quasi “official” way. Or even a skilfully carried out “phishing” operation so that one of your internal collaborators or partners is taken in, thus giving access to their machine. Hackers could then find there again the codes, procedures, or means of access to your servers: for that, they will have hardly had to implement the sophisticated codes to which Hollywood has accustomed us.
ERP And Security: The Giants More Vulnerable Than The Small Ones?
If, therefore, the threat is above all based on people, which companies are the most vulnerable? VSEs and SMEs have the disadvantage of not necessarily having the human resources for a security policy, but at the same time they offer the advantage of having a more closed or less extensive system, with fewer entry points. and consultation.
Major accounts will undoubtedly set up large-scale awareness programs, but will have to deal with abundant human resources and multiple locations, which are more difficult to control.
Another factor is the very nature of the ERP solution that will be used. One could logically think that an ERP solution from a national or sectoral publisher will be less secure due to the lack of fewer means during its design. In reality, everything suggests that it is the opposite, ERP and security are elements taken into account from the first functional bricks.
Indeed, publishers, whatever they are, are now committed to securing their solution. But the most widespread solutions deal with a problem of another order, which is similar to that of operating systems such as Windows or Android: the flaws that may exist (and any system is unfortunately likely to contain them) are sometimes publicized or even disseminated by Hackers within their community. It thus becomes easier for them to tackle a known solution , on bases already implemented by others. Some large-scale publishers have already paid the price.
In general, one of the most effective protective measures to avoid a cyberattack targeting your company’s ERP is to clearly define, from the outset, who is in charge of the security of this solution, and to what extent. The proper distribution of tasks between the CIO (if it exists), the various IT managers and the publisher is essential, and will go a long way to avoiding problems and minimizing them if they arise.