Posted in Operations & IT Articles, Total Reads: 2008
, Published on 29 December 2013
When business and government leaders gathered at this year’s World Economic Forum in Davos, they focused on key emerging global risks, including cyber-security. An internal research among the business leaders of PwC has revealed that security of ERP is a growing concern. In recent years, the audit of ERP security has gained importance and an increasing share of firm’s audit budget is being allocated to the same. However, it is a complex, lengthy and costly task due to a confluence of factors.
International Information Security Standard ISO 27001 defined basic components of cyber security as Confidentiality, Integrity, Availability, Authenticity and Non repudiation. But, it has gone beyond these components. A cyber security attack can eventually lead to brand infringement, Industrial Espionage and fraud apart from lost revenues and production. While data security risks have dramatically evolved, the practices that businesses use to follow has not kept pace. However, many CEOs are yet to truly appreciate the magnitude and seriousness of this critical business issue at hand. But, a few multinationals have realized cyber-threats for what they are—enterprise risk management issues that could severely impact their business objectives and have appointed CISO (Chief Information Security Officer) for the same.
“It’s impossible to separate the concept of ‘security transformation’ from the pragmatic day-to-day discipline necessary to achieve it. In order to transform your security infrastructure, you must ensure that each security project clearly maps back to the organization’s strategic business objectives. You have to be ruthless when it comes to making tough decisions about the kind of information security investments you are willing to authorize and support. Ensuring that your security investments support your business strategy is a critical litmus test for any CISO. Every discrete security project must align with corporate strategy in order to make the cut. Otherwise, it is not going to drive your business forward.”
- Ken Morris, CISO, Adecco
While mapping ERP implementation to business strategic objectives along with quantifying its benefits in terms of ROI is still an ongoing concern for many of the firms today, it is even more difficult task to map the security investments to the long term strategic objectives.
The ERP systems are especially vulnerable because of their nature, size and complexity. It is a well-known fact that “Complexity is the Enemy of Security”. ERP systems are integrally complex systems as it usually spans many functional areas and business processes along the value chain. The primary objective of an ERP is to provide flexible solutions to the firm’s business problems. The number of alternatives available for configuring an ERP system itself might result into many potential security configurations. However, ERP systems pay little attention to such potential conflicts and problems. As there are constraints to deploy the system within time and budget, implementation of ERP systems also pay little attention to security implications and thus security issues exist in every level of the system – application layer (business data processes), network layer (authentication and inter module exchange) and presentation layer (GUI, browsers and PCs).
As a practical manner, there is no way the vendor, be it SAP or Oracle or any other vendor for that matter, can guarantee security because not all the security loopholes are software defects. A number of attacks depend on everything from employee behavior to failure to maintain patches on all parts of the system.
The firms which opts for a plain vanilla implementation still have various ready-made solutions provided by many consulting firms. But, those firms which decides to go for customization of ERP not only incurs more cost but also more risk in terms of security. Any time you have to write a code, or highly modify it, you run the risk of introducing vulnerabilities, and ERP is no different. Fearing the risk of vulnerabilities and down time, many firms do no choose to upgrade to newer versions or maintain patches which again results in more risk. Security is a constant job, no matter what applications are running. It has become one of the huge responsibilities to be aware of vulnerabilities, apply patches regularly and ensure practices so that users do not engage in unsafe behavior.
Till sometime back, ERP system used to be closed, in the sense that the control and accessibility used to lie inside the enterprise, but now with the development in the way an ERP system works, it is no more the truth. With Electronic Data Interchange (EDI) and ERP system migrating to cloud based solution, the coverage of data security has gone beyond physical boundaries of the company. A minor security breach at supplier’s IT system can cause catastrophic effects at the other end. With the evolution in technology, if there is any effect on security, it has only become even more serious issue now.
In the coming years, the participation of web components and players is set to increase and steps are being taken to identify entities and processes to create robust cyber security eco system. However the standard IT industry solution needs analysis on need, applicability and sustainability parameters before en-mass adoption. There is need for sustained dialogue between all the stake holders to achieve the desired security and implementers should create requisite platform interfaces to facilitate cyber secure system implementations.
This article has been authored by Ankita Kushwaha from IIM Shillong
If you are interested in writing articles for us, Submit Here