Juliette Welch: Thank you everyone for joining us for today's call: The Growing Role of Cybersecurity in ERP.
Shawn Windle is our speaker for today. Shawn is the Founder and Managing Principal of ERP Advisors Group based in Denver, Colorado.
ERP Advisors Group is one of the country's top independent enterprise software advisory firms. ERP Advisors group advises mid to large sized businesses on selecting and implementing business applications from enterprise resource planning, customer relationship management, human capital management, business intelligence, and other enterprise applications which equate to millions of dollars in software deals each year across many industries.
On today's call, Shawn will discuss the crucial need for cyber for a cyber security plan in order to protect your most vital enterprise applications and how to mitigate these risks to ensure you never become a cyber victim.
Shawn, if you're ready, I'll pass it along to you.
Shawn Windle: Great, thanks Juliette, I appreciate it and thanks for joining our call today or the podcast.
And so this is a very interesting topic that I think a lot of our clients and we as an organization are looking at. When you think about cyber security, there's definitely different feelings can be felt around cyber security. They're usually bad. There's a lot of things in the market and in the news that we hear about attacks and things that occur then unfortunately are true.
So as always, those who've listened to our podcast in the past know that I'm going to talk for maybe ten to 15 minutes about this topic. And the hope is to break down the fear. That once you understand something fully and completely, the fear kind of goes away. It turns out that's really the basis of why we have concerns is we don't understand things.
So, in a very short amount of time here today, I want to give you some background and definitions on cybersecurity and how it relates to ERP.
We'll also talk about how cybersecurity attacks happen in the ERP space, and then some best practices for handling the risks that are real for ERP with cyber security.
So, when we talk about cybersecurity, what we're really referring to is the threats and the attacks that are known in the information technology space. So, if you think about the world of technology, we're looking at hardware devices and a whole heck of a lot of software. Those hardware devices can be something as simple as the phone that I'm talking into, a laptop and desktop, could be some other kind of computing device, all the way to the servers and infrastructure that run in data centers, and the business is really around the world.
And then you have software. And the software side is interesting, too, because we have things like email and websites that we use every day, but as many of you know on the call, a heck of a lot of infrastructure software that makes the end user software that we use.
So, when we talk about cybersecurity, we're really talking about the threats that can occur at the hardware and software layer for really any kind of application that exists on the planet, so this is kind of a big deal. I mean, we typically hear about cybersecurity and cybersecurity breaches with websites and banks in the news — things from Twitter to Wells Fargo to some of the credit agencies.
But they really are less known with internal business applications like an enterprise resource planning application. And when we talk about ERP, we as usual, mean a conceptual framework of the enterprise applications that run the business processes throughout an organization.
So that could be customer relationship management, sales, customer service, it could be order entry, could be your pricing item, catalog, your project management systems, project portfolio management systems by now, controls supply chain management, supply chain planning, human capital management, payroll, HR, everything you could possibly think of — we lump into that ERP category, but basically these are the packaged applications that business search are using to run their processes.
So, if you look at cybersecurity related hardware and software, and then you look at an ERP or ERP applications being a lot of software, red flags should be going up saying wait a minute, ERP applications are probably getting hit a lot with cyber security attacks. And the answer is they are. But the interesting thing is you don't hear about a lot of them.
We'll talk to some of them today. Shawn Orthmann, who's joined our marketing team, put together some really nice examples that I'm going to talk through here in a little bit.
But you'll see that it's actually more prevalent. Cybersecurity attacks and risks are much higher in ERP than you would even think of. And I'm going to give you one example that sets the stage here and then I'll talk about how it happens.
There's a particular software application that that we have advised clients to more in the past. Frankly, it only runs on prem, but a lot of our clients want to have software that they don't have to maintain and operate, so they'll go to a hosting provider. They could call him a private cloud provider, but this particular vendor just focuses on one application.
And they get the data center, they work through the data center details, then they manage all the technical infrastructure of the application — they can even manage the application itself.
So, it's a pretty good offering, except this company got hit with ransomware, and ransomware is basically software that gets somehow installed on your environment. It shuts the entire application down and the creator of that ransomware package will basically say, okay, we'll give you access back to your site into your servers after you pay us.
Wait, what? You just took away access to all of my customers that I host their instance of this particular product and there's 100 customers and they're all paying me on a monthly basis for that. And wait a minute. All my customers — literally, they could not interact. They could not see their accounting systems because of this ransomware package. That was really bad and ultimately the company ended up paying the ransomware. They really felt they had no choice. And once they paid the “folks” we’ll call them — really these are lower than criminals by the way. People on this planet to do that kind of thing. Once they paid them, they did get their system back online, but they had to rebuild several things, so I mean it was just a freaking disaster.
So unfortunately, this is very real, but you are never going to hear about the cyber security attacks that happen at large corporations, even small corporations because they're too embarrassed to tell anybody.
So, this is a very important topic and I'm really glad that you're listening because I'm going to tell you some things that you really need to understand so that this doesn't happen to you.
Okay, with that out of the way. So, how does it happen?
So, typical cybersecurity strikes and attacks — they're about people, they're really not about computer systems. What can end up happening is that the users and different administrators just think it won't happen to us.
So, even sometimes if you think about it — you may even be hacked right now, like we don't know. Sometimes we just don't know these things and recently in the news in 2019 alone there were some hacks that occurred that affected millions and millions of records. There's specifically twelve breaches that we were able to research that affected ERP systems and financial services, telecommunications, retail, medical research, and for some of these larger organizations that the average damage of one breach can be in the millions of dollars upwards of $5,000,000.
So, it's real that companies are getting attacked, but how do they become a target like are they just not smart enough or they don’t have a big enough cybersecurity risk team?
That's not really the case. They kind of pull it in from different areas, and one way that that cybersecurity attacks occur is through competition or maybe even a disgruntled former employer who decides do something and kind of get back at their company. And even if you look at some of the news that's out there, these kinds of attacks have even doubled in the last year.
So really, any company is at risk from things like a competitor or former employees. I mean, there's even kind of worse instances where we may even have hostile nation states that are trying to attack and disrupt supply chain management systems. If you think about some of the countries around the world and what their viewpoint is on America right now, they may be going after things like grocery stores and third-party logistics providers. And if they took down Walmart, where would we get the stuff we get at Walmart?
So, there's definitely realities on how companies become a target from these different sources and one last source could even just be a hacker who wants to play a prank. Or maybe it's just trying to impress their friends.
I mean, this is — you really have to understand the criminal mind to understand the people that are behind these kinds of attacks, and these individuals are out to really wreak havoc in areas of the world that they know that they have knowledge of that others don't. And technology — sometimes you can get these kinds of people out there.
It happens because you have somebody who's ultimately crazy and wants to take advantage of other people, and so it's just a reality unfortunately.
But listen, what's more important though, is that there are best practices that you can put in place for handling these cybersecurity risks and attacks before they happen.
So, one of the things to look at is the enemy within if you will. So, if you if you look at the employee base and there's a couple different ways to do this, I can tell you this right now frankly, that 20% of the population, might even be your employee base, has probably had some bad intentions. Now you know who those people are when I say that. I bet if you look around your organization, you can find them.
That's not to say they're going to be attacking you on a cybersecurity attack, but find out who the people are, but also give training to most of your employees if not all if you’re planning for things — most of your employee base, pardon me — for looking out for things that seem kind of fishy and that are not quite right and are coming across their desk that maybe isn't quite what they expect, but they're not sure what it is.
You really have to look at your employee base first to protect yourself from cybersecurity risk is what I'm trying to get to and if it can be something as simple as a USB port has some virus in it and they plug it into their computer and boom the virus goes into the machine, there could be emails and memos that are sent through electronic mechanisms that people click on and links that come through, there may even be physical risks that come up where somebody says to an employee at the end of the night, “oh, I’m the security person” or “I’m the cleaning person, please hold the door open for me, I don’t have a key.” Might even be people posing as IT contractors that are coming in.
So, super important to look at your people and make them aware of the risk that they could be running into — maybe from other employees, and I will tell you it's always the people they don't like — but also from emails, from physical risks and that that come in.
So, all it takes is one person leaving their screen open with the access to their SAP environment open and then that person posing as an IT contractor comes in and starts writing themselves checks. So, watch out for the people.
The reality with best practices — the second thing I want to talk to you about is that there are just inherent complexities of ERP that make it actually more susceptible to some of these cybersecurity attacks than even the online web stores and eCommerce sites that we hear about with attacks.
If you think about it, there's a lot of transactions that are run throughout an ERP system, and the security roles that sit on top of that ERP system — people are usually assigned to a role and that role can do a certain amount of things. It might be several hundred things that that role can be.
You have several hundred users, several hundred roles, and now all of a sudden you have all of this control risk that you need to maintain and track, not just from a segregation of duties perspective or the Sarbanes-Oxley internal controls perspective but also from, are you giving the wrong people access to certain parts of your application?
So, the second-best practices here is really understand the complexity of your ERP as it relates to its security architecture and hierarchy with roles and really clamp that down. It's not fun, frankly, but it is something that can really help with minimizing the risk that you could be opening yourself up to you on your ERP.
When was the last time you reviewed your roles? I can think of many clients that if I ask that question to — I haven't asked them that question, so I don't know when you're doing it. So, it's something that needs to be looked at.
The other thing, too, is again as it relates to cyber security is that we talk about this concept of cybersecurity audits.
So, the third best practice is really to put in place a cybersecurity audit program that makes sense for you. For some organizations this may be monthly, others might be quarterly. But look at what you're doing with enforcing password complexity and renewals. Keep your software up to date so that there are things that are built into these applications that'll make sure that cybersecurity risks that are out there are being handled. Enforce best practices as well, like look at the segregation and duties like we mentioned before, too.
You also want to take a look at — from an audit perspective — of where's the encryption out with your ERP system? And I'm talking end-to-end, from the device through the transport layer to the application to the database and back. Really look at the encryption that's in place for that.
So, those are some good best practices.
Probably the last best practice that I want to talk about is what to do if something occurs — if there is a cybersecurity attack.
So, the last best practice is have an incident and response plan ready in advance of an attack happening. So, it really needs to spell out what to do when something goes wrong. Who's going to handle it? Who needs to be notified? What actions need to be taken?
So you may look at putting together four or five different scenarios — we call this the cybersecurity risk mitigation plan, where you look across your enterprise resource planning ecosystem — not just an app, but the ecosystem — and you spot where the risks could happen.
Of course put the mitigations in place — for instance password protection and things we've talked about — but really ask your key people, where could these risks occur and where are we not covered and what do we do if there is something that comes up that we hadn't planned on?
And you'll be surprised. That, much like any other risk in business and in life in general, that when you confront it fully, you understand it fully and then you can have a plan in place for what to do about it.
You're inclined not to do it, and it won't happen if you're really ready for it. It's an interesting thing. But if it does, then you know exactly what to do and in what shape to be in.
I'll tell you also that there's a couple companies that we've worked with in the past that might be interesting to look at. One of them is called KnowBe4 and they do an unbelievable job of training employees on cybersecurity risks and really getting them thinking with these concepts so that they're more aware in the present time of what risk could be there.
There's training on how to identify these phishing emails where the former prince of some African countries you’ve never heard of — but no, it's it comes from a vendor that says I have a question about this document that you sent me, click here. That company has great training to teach employees how to handle that.
And then we've done a lot of business with Coalfire here in Denver, too. Coalfire systems that does penetration testing and many other forms of cybersecurity preparation and prevention tasks that will really help you to understand some of the risk that you have.
So, there's a ton of other great companies out there in the market, too. But be willing to get an advisor in this space.
But like I said, pull four or five key subject matter experts across your ERP environment and sit them in a room for a half hour, tell him beforehand they need to come with two or three risks that they're aware of, put them in the room for a half hour, have the team talk about those risks, talk about what the mitigations are, assign one person that plan, and go roll it out across the rest of the business and make it 15 minutes or less for all users to just do a couple simple things and you'll be a 95% protected because it all comes down to people.
So, that's a lot of information I just threw out there. We'll definitely have a white paper based on this topic.
We're always available for questions as well, and that's about all we've got for today. Juliette, I'll pass it back to you.
Juliette: Thank you, Shawn, I appreciate that.
Thank you everyone for joining us for today's call. We appreciate you taking the time to join us. And as Shawn said, please let us know if you have any questions. You can reach us by phone or our website.
Our next call is November 13th, AI has crept into ERP: Are you ready?
In this next edition of The ERP Advisor, we will discuss some of the ways AI and its cousin, RPA, robotic process automation, are impacting ERP on a practical level today, and what we expect to see in the future.
We hope you will join us. Please go to our website erpadvisorsgroup.com for more details and to register. Thank you again.