ERP-Management.de published a great article on ERP Cybercrime
Having worked in the ERP landscape with various ERP vendors I know from the last 20 years that security is not really on the radar with most ERP implementations. There are always exceptions of course with companies that do take IT Security very serious, and let me tell you this, ERP implementation consultants hate that security scrutiny.
And why? Simply because they cannot move as fast as they wish (or fear to be hindered) in their jobs. The reality is that ERP security is a trade-off. One the one hand the implementation is managed, budgeted, has a schedule, tasks are to be completed as quick as possible (the PROJECT MANAGEMENT view), on the other hand you cannot implement an ERP system and leave systems behind with the doors wide open, leaving the new ERP customer exposed to vulnarabilities he is not even aware about, and how could he be? (the PROJECT GOVERNANCE view).
What is important from the ERP CUSTOMER's perspective?
When customers buy or move to a new ERP platform, they have done their due-diligence on the implementation partner. It could be the OEM, but very often it will be a proven partner specializing in implementations either from a technical point of view focusing on project management & governance, data migration, data cleansing, cloud implementations, OR from a business point of view, focusing on the projected benefits, change management adoption, business process efficiency. The best projects always have both on the radar. What it means is that customers when selecting their implementation partner(s) expect to be professionally guided. The implementors are supposed to be the experts, and the customers pay a dear sum of money for that expertise. It is very reasonable to assume that customers want you to take security serious, and very serious while you are at it.
So in your running project(s) - who is responsible for the ERP security? What is your implementation advise when it comes to logfiles? We have heard and seen it all too many times ... "Let's deactivate that, because it will take storage capacity and it has a negative impact on performance". So the advise to the customer is really, just run the systems blind, for the sake of a few dollars storage cost, or CPU power on systems that are generally oversized anyway.
What can ERP customers do to protect themselves much better?
Ask the right questions about ERP Security when you are selecting or scoping the ERP project. Questions about:
- ownership of the topic on the customer side (is it the CIO, the CISO, or the ERP team, the ERP admins)
- monitoring, who will actually do, and to what extent will the monitoring of logging be done, do we have a process for that?
- automation, should monitoring not be automated (you are talking about an automation project all together), if you have the process, why not make it much more efficient?
- what are the threats we can logically think of? Is it only those external customer coders and the code quality? Or should we take a much deeper look at segregation of duties, roles and authorization concepts?
Start by reading the article in the ERP magazine by ERP-Management.de: Click here!
Did your implementation get rushed to the get live date?
Do you fear people may have taken shortcuts?
Did you implement your ERP years ago, when Cybercrime was hardly existing?
Do you want to know where your current risks are?
Are you planning a move to the cloud with your ERP? And does the cloud provider take the system "as is"?
Then you are you ready for your Security Maturity Assessment for SAP®!
Talk to us about the possibilities of such a Security Maturity Assessment.
Want to learn more? Contact us here!
We are here for you. SAFELY ENABLING YOUR SAP® BUSINESS