ERP security in focus: How to protect your critical processes

As a study by Onapsis shows, 83% of DACH companies were victims of a ransomware attack at least once in 2023. For 62% of these companies, the cyberattack led to an ERP system outage lasting at least 24 hours.

In view of this threat situation, companies are well advised to focus more on ERP security. How are you doing with this? Have you already taken sufficient measures to protect your software against outages?
This article gives you an initial indication of where you currently stand in terms of ERP security. We show you which internal and external risks you should expect and which security precautions you should definitely take.

ERP security: What are the consequences of inadequate protection?

The ERP system serves your company as a central data and control platform that links all business areas together. Almost all business-critical processes therefore come together in the software – including financial accounting, human resources and customer and supplier management. The ERP system also contains important master data – such as contact persons and suppliers, as well as parts lists and work schedules.

Precisely because the ERP solution is so deeply integrated into all processes, it represents a particularly sensitive risk area. If a security incident occurs in the system, this can have far-reaching consequences for your business:

Interruption of critical business processes

A malfunction or failure in the ERP system can bring your production, logistics and administration to a standstill at the same time. Even with a good recovery strategy, it is not always possible to restore all data one hundred percent. This is often accompanied by duplication of work, production downtime and delivery delays. Financial losses are then unavoidable.

Unauthorized access to sensitive data

ERP systems contain confidential information: Financial figures, personnel files, customer data, construction plans and much more. A successful attack on ERP software – whether by an internal or external attacker – not only causes economic damage. It often also has legal consequences.

Loss of confidence

Delivery failures and data leaks do not make a good impression on customers, partners or employees. If you neglect ERP security, you can expect reputational damage as well as the loss of important business relationships.

Reduced data integrity

If your business information is stolen or manipulated, this leads to an incorrect database. This can quickly lead to incorrect management decisions and impairments in corporate management.

ERP security is therefore not just an IT issue, but an essential part of the corporate strategy. Decision-makers are responsible for ensuring the reliability and flawless functionality of the ERP system at all times. The basis for this is a sophisticated ERP security concept that prepares your company for emergencies.

ERP security is therefore not just an IT issue, but an integral part of the corporate strategy.

Steve Roth, Asseco Solutions

ERP security: what are the risk factors?

ERP cyber attacks

ERP systems are very often the target of cyber criminals. After all, this is where attackers find particularly valuable information. Ransomware attacks are among the most common ERP attack scenarios. The perpetrators encrypt your data and make your company vulnerable to blackmail. However, attacks using phishing emails are also on the agenda these days.

Technical glitches in ERP

ERP systems are dependent on a stable IT infrastructure. If, for example, a central server fails, critical processes can no longer be executed. The incident does not have to be that serious: even a small database error can cause ERP security to falter. Because in this case, orders or production orders can no longer be processed.

Human error

Carelessness or a lack of knowledge on the part of employees can also pose a significant ERP security risk. Improper use of the software and operating errors have often had a noticeable impact on the entire process chain.

Lack of ERP access controls

If user rights are not clearly regulated, employees can access data and functions that are not intended for them. This increases the risk of misuse, manipulation or unintentional changes. ERP security is particularly at risk if employees who have left the company still have access to the system.

Risk factor	Examples	Possible consequences
ERP cyber attacks	Ransomware, phishing emails	Data encryption, blackmail, data loss
Technical breakdowns	Server failures, database errors, hardware problems	ERP failure, standstill of the entire operation, delivery delays
Human error	Carelessness, operating errors, lack of knowledge	Incorrect data, process errors, increased security vulnerability
Lack of ERP access controls	No clear regulation and/or no reliable maintenance of access rights	Unauthorized access to sensitive data, compliance violations, manipulation

ERP security: 10 tips for a secure system

Due to the wide range of risk factors, it is a major challenge for the internal IT department to continuously maintain comprehensive ERP security. To ensure that your company is prepared for any eventuality, we recommend the following security precautions:

1. establish an up-to-date IT infrastructure

Outdated infrastructures that have been in place for a long time pose a particularly great threat to IT security in the ERP system. Due to a lack of update capability, they often have known ERP security vulnerabilities. This gives attackers an easy game.

Modern technologies, on the other hand, protect you from external threats. The probability of a current ERP system with up-to-date security mechanisms being hacked is many times lower.

Heyligenstaedt Werkzeugmaschinen GmbH also recognized the risk of outdated systems. As the previous ERP version no longer supported modern operating systems and browsers, its continued operation was extremely insecure. The migration to a current APplus version was therefore also carried out for security reasons:

“The pressure to migrate to a modern solution was increasing for us, especially in light of the current threat situation from hackers and cyber criminals.” – Andreas Gramm, Head of IT at Heyligenstaedt

Read full case study

2. take care of ERP updates and maintenance

If the infrastructure is up to date, regular updates are the top priority. As the Federal Office for Information Security (BSI) reports in its status report on IT security in Germany, an average of over 300,000 new malware variants are added every day. If ERP updates and patches are not applied promptly, cyber criminals can easily exploit vulnerabilities.

Even if you have sufficient internal resources, nothing beats a professional update service. Experienced specialists continuously take care of error-free software updates, significantly reducing your effort and risk. This is precisely the kind of service offered by premium services from Asseco SolutionsFor a fixed fee, we ensure that your ERP system is regularly updated at short intervals. After that, all processes continue to run as usual – reliably and without disruption.

Last but not least, consistent maintenance of the ERP system is important. This ensures that interfaces, databases and server environments function smoothly. In this way, you maintain the reliability of the ERP operation and thus your company’s ability to act.

3. establish access controls in the ERP system

Even if you have taken measures against offensive cyberattacks, hackers can still gain access authorizations in a roundabout way. Modern encryption methods and well thought-out access management are therefore also important components of ERP security. With the Zero Trust principle, for example, none of your employees are given automatic access to files. Instead, each individual access must be authenticated.

It is also important to regularly check the rights and roles concept in the ERP system. You should revoke the access rights of departing employees as soon as possible.

4. rely on ERP certifications

By purchasing a certified solution, you can be sure that the software has been developed on the basis of recognized security standards. Basic data protection requirements are met, as is the ERP system’s reliability. In addition, certifications strengthen the trust of customers and authorities, as compliance with internationally recognized standards can be verified. For example, APplus is certified in accordance with the ISO 27001 information security standard.

5 Ensure secure ERP remote access

Gone are the days when your employees only used the ERP system on a stationary PC in the office. Nowadays, software is increasingly used in the field or in the home office on mobile devices. It is therefore important to guarantee ERP cybersecurity on the move.

You should secure ERP remote access with the following measures:

• An encrypted VPN connection secured with multi-factor authentication (MFA) reduces the risk of cyber criminals gaining access to your network, your data and the ERP system via a stolen password.
• Audit trails help to log all activities and quickly identify suspicious processes.

6. train your employees

Even the most secure software cannot provide adequate protection if users are unconsciously circumventing the security mechanisms. If employees use insecure passwords or open phishing emails, the cybersecurity of the ERP system is seriously compromised.

Through targeted training, employees learn to recognize risks at an early stage. They develop an awareness that each individual has a responsibility for ERP security. In this way, the human vulnerability becomes an active line of defense in the company’s security concept.

7. develop an ERP backup strategy

Backups are immensely important to prevent downtime and long-term damage. If your data is encrypted by ransomware in the ERP system or if you suffer data loss in any other way, you can restore the information quickly. In this way, you secure your business-critical processes and can continue your operations without interruption.

However, make sure that your backups are not stored in the same place as your live ERP system data. This way, you are also protected against physical hazards, such as flooding or fire.

8. weigh up between on-premise and private cloud

If you use an on-premise solution, all data is stored locally in your data center. The advantage: by accessing the data in the company network, your information is protected from external attacks. However, you need the necessary expertise in data protection and access rights for this.

If you do not have the necessary expertise, a private cloud is an option. Your ERP system and backups are then hosted in the cloud by experienced providers. Specialized experts and cutting-edge security mechanisms monitor ERP security around the clock. This means that you do not need to have your own specialist staff in-house.

So weigh up carefully which model best suits your company.

9. carry out regular ERP security checks

To minimize IT risks in the ERP system, you should continuously scan the software for potential sources of problems or security gaps. If you have internal capacities for this, you can eliminate frequent points of attack or known security leaks yourself. However, special software can also detect and highlight database vulnerabilities by scanning.

10. do not save in the wrong place

Data security should be worth a lot to you. Once your system has been compromised, you will be faced with considerable time and costs for ERP recovery. You should therefore plan a fixed budget for your security strategy to avoid any nasty surprises. The investment pays off twice and three times over in an emergency.

Conclusion: ERP security secures your ability to act

ERP security is a business-critical factor that you should not underestimate. Cyberattacks, technical glitches and human error can quickly lead to system failures and paralyze your entire operation. This in turn has a negative impact on your competitiveness.

To maintain ERP security at all times, you need a well thought-out security strategy. This should take equal account of technological and human aspects. A modern ERP system that meets all current security requirements and offers automated protection mechanisms is particularly important.

Investing in your ERP security not only protects your business-critical processes, but also your ability to act. Ultimately, prevention is cheaper and more sustainable than any emergency measure.