Is your ERP opening the door to cybercrime? A five-point guide for protecting your enterprise
Organizations are turning to modern ERP systems in response to pressure for greater transparency, advanced business reporting, enhanced customer experiences, and the need for improved organizational efficiency and effectiveness. Mid-market enterprises are poised to dominate the ERP market by 2030 as they look to increase operational efficiency and reduce production costs.1 Yet as organizations harness the power of centralized data, they become more valuable cyber targets. ERP adoption and integration means larger numbers of users with authorized access to a wider scope of richer data. For cybercriminals, that data is pure gold.
Cybercrime cost U.S. businesses more than $6.9 billion in 20212 -- and while Fortune 500 hacks make headlines, 41% of all data breaches now involve small and medium businesses.3 Simple fraud has been overshadowed by ransomware, malware, and phishing attacks capable of causing business interruptions, shutdowns, and damage to corporate brands and the bottom line. Between 2019 and 2021, the number of ransomware complaints reported to the FBI jumped 82%.4 In 2022, ransomware attacks have already breached the data and health information of millions of U.S. patients5; disrupted operations at manufacturing plants6; and revealed sophisticated criminal enterprises that are more tech-savvy and better-funded than most IT departments.7
Understanding all of the risks can be daunting for teams already facing the complex, intensive process of implementing an ERP system. The good news? Whether you’re transitioning from a legacy system, changing ERP platforms, or migrating to the cloud, an implementation presents an opportunity to take a proactive approach to minimizing cyber risk for your organization. The key is to put enterprise security at the forefront of your planning and preparation. The following guidelines can help you get the most out of your technology investment while protecting your company’s valuable data.
An implementation presents an opportunity to take a proactive approach to minimizing cyber risk for your organization.
1. Address security from the start
While most top-tier ERP platforms have an array of “application controls” as part of their configuration options, they must be designed appropriately to fit into your overall business control processes. Too often we see these controls, and the necessary design steps, ignored or misused during the implementation process. Overwhelmed ERP project teams, under pressure to meet project deadlines, may turn off controls, limit the effectiveness of controls, intentionally bypass them, or implement significant controls that make it difficult for the organization to run its business effectively.
Challenges can also appear down the road if ERP teams don’t think through and implement proper segregation of duties during system setup. Once an ERP implementation is over and time passes, efforts to go back to revisit controls and retrain staff can become arduous. Instead, make it a priority right from the start to identify how the ERP provider’s security templates should be tailored to your organization. Mapping business processes for individual departments—sometimes down to the user level—may seem time-consuming during the ERP planning phase, but it can prevent rework once the system is live. Depending on the scope and complexity of your business processes, a PMO can help ensure the right security controls are in place, conduct testing, and establish go-forward governance practices that proactively minimize risk.
2. Consider third-party risks
As technology enables a broader, more complex ecosystem of suppliers and service providers across geographies and industries, organizations are taking a closer look at third-party cybersecurity practices. The implications for your ERP are two-fold. First, consider your own organization’s external partners as you design your controls. Ask yourself:
- What access will financial firms, vendors, and suppliers have to your ERP system?
- What internal controls will you put in place to monitor this third-party access?
- What new requirements will you enforce to protect your organization’s data?
Second, consider the ramifications on your own role in the supply chain. Gartner predicts that by 2025, 60% of organizations will use cybersecurity risk as a significant determinant in deciding which businesses and third parties they engage with.8 How well you establish effective controls during your ERP implementation today is likely to have a direct impact on your ability to sell your services to other organizations in the future. It’s a ripple effect that reinforces the need to prioritize security as you adopt or upgrade your ERP system.
By 2025, 60% of organizations will use cybersecurity risk as a significant determinant in deciding which businesses and third parties they engage with.
3. Don’t underestimate the power of human behavior
Even with a high-end ERP system in place, staff make dozens of decisions during the course of daily business that can unwittingly expose system data to malicious actors. Company culture (for example, expectations of sharing information with clients in the spirit of “customer service” or “transparency”) often plays a role in these exposures. Many organizations are responding by raising the stakes and going beyond traditional awareness campaigns to strengthen security culture across their organization. Gartner predicts that in the next 3-5 years, 40% of programs will deploy behavioral principles such as nudge techniques--up from less than 5% in 20219-- and that more than half of C-level executives will have performance requirements related to cybersecurity risk baked into their employment contracts.10
An ERP implementation provides a significant opportunity to strengthen security culture across the organization. As you plan your controls, take a fresh look at the roles and behaviors of system users. If a breach does occur, are there out-of-system protocols and plans to run your business to prevent further damage and have those been tested? Considering the ramifications of human decision-making will help you design a stronger, more secure ERP system that protects your organization from itself.
4. Recalibrate your workforce needs
Technological advances are constantly obsoleting some skills and introducing others, and ERP implementations are no exception. In today’s talent-scarce labor market, how do you build the right skills internally so that when your implementation partner leaves, your organization can stand alone? It’s a growing concern that leaves security-focused executives feeling vulnerable. Nearly 60% of respondents to the World Economic Forum’s 2022 Cybersecurity Outlook said they would find it challenging to respond to a cybersecurity incident due to the shortage of skills within their team.11
As we guide clients through ERP implementation change management, we advise that IT, operations, and HR teams come to the table and work together to ensure they’re developing the right job descriptions, recruiting key skill sets, and retaining scarce talent to support ongoing ERP system security. This best practice applies even to cloud-based ERP systems. Although a cloud provider assumes responsibility for finding and managing IT resources to maintain the system, those resources don’t have the day-to-day insight to adapt to changes in your internal priorities or blend technical and business acumen. A cross-functional effort will increase your organization’s ability to secure the right resources in a historically tight labor market.
5. Schedule (and budget for) ongoing updates to ERP controls
Cybersecurity is an iterative effort that will span the 10–15-year life of your ERP system. As your business changes and technology evolves, you’ll need to expand system functionality, add, or update modules, and respond to more sophisticated cyberthreats. Each time you do, you’ll need to revisit and reevaluate your business controls and security practices. As you reassess your internal controls, remember to include talent in your risk assessment to gauge whether you have the internal skill sets to properly govern the ERP throughout its life cycle.
Reap the rewards and minimize the risks
The benefits of well-designed ERP systems far outweigh the security risks. The guidelines above can help you build effective controls that protect your organization right from the start, rather than simply reporting what went wrong when a security breach occurs. Focusing on controls during key ERP implementation phases can help your organization get the most out of your technology investment and provide additional confidence in the security, accuracy, and reliability of your organization’s data.
The benefits of well-designed ERP systems far outweigh the security risks.