ERP Systems Security and the Prevention of Cyber Attacks

Hacker testing ERP security
Considering how much is at stake in enterprise systems — from financials and trade secrets to customer data and credit card numbers — the argument could be made that ERP security best practices carry the highest importance. We’re looking for holes in the fence and discussing how to patch them in this episode of The ERP Advisor.

October is National Cyber Security Awareness Month, and though all system security is crucial, it could be said that enterprise security solutions are among the most important.

Enterprise Resource Planning software contains delicate and vital information for your company, from financials, customer data, and credit card information, to trade secrets. Enterprise security software should be on the forefront of any company’s security preparations.

Enterprise Security Systems: How to Keep Your Organization Safe from Cybercriminals

Above and beyond any type of enterprise security software or other solutions, the most important protection you have against a cyber attack is within your organization itself.

1. Build a Culture

The first thing you will need to do is build a security culture within your company. Everyone at your company must be involved, no matter what their position is. Creating a cyber secure culture is not a sprint, it’s a marathon. It’s not just checking off boxes to make sure you’re compliant with a regulation and then moving onto your next project.

2. Always teach Cyber Security Awareness

Cyber security awareness training that happens only once a year is simply not good enough to keep your company safe. Enterprise security needs to happen all the time. It needs to become a part of your company’s culture, a part of who your employees are when they are in the office, as well as outside the office as part of their normal day-to-day activities. Only with constant vigilance do we have a hope to keep our systems safe from attack.

3. People: The Most Important Factor

For enterprise security systems and practices to really work, remember that your employees’ actions are going to be more prominent than what they know. You can train and train your people on what measures to take, but it won’t work unless people care. In addition to knowing what steps to do to keep systems secure, people need to know why it’s important.

Protect Your ERP from Cyberattacks

Enterprise Security Solutions: How They Are Different

As much as we can discuss cyber security measures at home and at the office, remember that ERP software system security is different.

Your organization could have the best enterprise security systems in place, but an attack could still happen. These types of attacks are devious: once someone clicks on a link in a phishing email, it can execute malicious code inside your firewall and infiltrate your organization in seconds. Your ERP software could be infected instantly, and rather than taking down just one department or one system, it could take down your entire organization.

Before investing in enterprise applications, find out what steps a given software provider is taking to improve cyber security. Ask the company to tell you what measures they are taking to protect your data. Don’t assume they have it under control — truly understand what they are doing, and make sure you are comfortable with those cyber security methods.

The Dangers of Enterprise Security in the Cloud

It may seem like a safe action to have your ERP systems in the cloud, but this is not an absolute truth. When you think about it, the “cloud” is just somebody else’s computer, and while many cloud solutions are very secure, they must be evaluated on a case-by-case basis. After you put enterprise security solutions in place at your own organization, you must ensure that any third-party you work with has their own security best practices in place as well.

Even if you know the company, it is still important to ensure they have enterprise security systems in place for their cloud applications. There is an old saying: Trust but verify. You can trust your third-party vendor implicitly, but it is in your organization’s best interest that you still verify what security measures they are employing.

If you don’t know what questions to ask, or what types of enterprise security software a possible ERP partner should have, you may need to bring in an expert to assist.

Top Cyber Security Risks for Any Organization

The first cyber security risk for most organizations is not knowing what data they have and what data should be protected. Be sure you understand and track any data that is being saved in your systems or sent into the cloud. Always know what is being stored and where, and then ensure those locations are secured.

Second, and perhaps the most dangerous element in any organization, is people. Unfortunately, humans can be considered the weakest link when it comes to enterprise security. Phishing is one of the top attack vectors cyber criminals use to gain access into organizations, and people are often the way they get inside.

But there is a caveat to the above. People are only the weakest link when they haven’t been educated. If a person hasn’t been made aware of the dangers and how to prevent an attack, they are going to be susceptible to such an attack. Remember that people as a whole are incredibly intelligent, and they can learn what to do to protect your organization. When cyber security education is encouraged, your people actually become one of the strongest assets that you can have for preventing cyber attacks.

The Anatomy of a Cyber Security Attack: How it Happens

In this section, we will break down exactly how cyber criminals work, from the first steps they take to get into your system, to what happens once they are in, and how they will attempt to cripple your organization. Cyber-attacks include following steps:

  • Testing
  • Setting Up the Bait
  • Using Fear and Curiosity to Get Inside
  • Sneaking Inside
  • Preparing for the Attack
  • Attacking from All Sides
  • Making Their Demands

Testing: Cybercriminals Do It, Too

Cybercriminals have all the same technology and systems that you have in your organization, in their own environments. They set up all the same spam-blocking software and antivirus software. They test their phishing emails in those environments to see which ones get through. They are always testing and running through different scenarios to build up a repertoire of tools that will work.

Setting Up the Bait: Phishing and Spear Phishing

An attack will often come from a phishing email, which is more generic and designed to deceive almost anyone. But sometimes a cyber criminal will create “spear phishing” emails, which are designed to get into a specific organization. They will start by looking for email addresses within your organization, using free tools to help them harvest emails online.

Using Fear and Curiosity to Get Inside

Once they have the email addresses, they’ll create an email with a link. For example, let’s say a new CEO just started at your company. The attackers will design an email that looks like it’s from the new CEO and include some exciting news, such as announcing a new daycare facility or maybe even that layoffs are coming – anything that generates enough fear, curiosity or excitement to get someone to click on the link or open the attachment.

Sneaking Inside

Once someone clicks, they have started connecting to the cyber criminal’s server. It may even display what looks like your company website, so that the employee will log in and the criminal will steal their user credentials. The fake website can even look legitimate enough that the employee continues to work, but in the background a file is being downloaded onto their computer. Known as a dropper file, this can take over the employee’s computer without them being aware.

Preparing for the Attack

After the cyber criminals get inside, they start looking at your network to see what systems your organization has. The door has been opened, and now they can go in and out as they please, taking their time to learn as much as they can. They’ll look at your different systems, find the main server, and maybe even create their own user credentials or VPN access so that they don’t have to keep using the original user’s credentials or laptop to get in every time. To set up the ransom, they need to find your sensitive data, intellectual property, employee records — anything that they know a company will pay to have back.

Attacking from All Sides

Once they have everything needed to attack your system, they launch the ransomware. They will encrypt all of your organization’s available data, but leave the system running because they need you to reboot. Or they may wipe out all the data so that you must shut down – an extra step to ensure they have crippled your organization. Often they will leave behind nothing but a ransom note, instructing you to visit what's called a “TOR browser”, which stands for The Onion Router network — an anonymous network used by denizens of the dark web to keep users locations and identities hidden.

Making Their Demands

They will give you information on how much bitcoin they want, depending on your company’s profits and how much they have determined you can pay. They will also put a time limit on how quickly you must pay up, which is usually 72 hours.

Now you have to make a very difficult decision: Do we pay? Do we attempt to restore from backup? What do we need to do next? Even if you decide to pay, it takes time to set up a bitcoin wallet and transfer money to it if you don’t already have one. And you may have to ask the hackers for an extension, which could bring the price up even more.

Sometimes you may be able to negotiate the ransom price down. But whether you decide to pay or try to negotiate, in either case you are probably going to need some help, and there are organizations you can contact that will come in and negotiate with the cyber criminals for you.

The Aftermath

The cost of an cyber attack can be more than just the price of the ransom to return your ERP systems. You will need to account for downtime while the systems were out of operation, as well as loss of revenue and productivity. There are also the factors of your company’s reputation and the effects a cyber attack could have on future sales. There are also employees to consider, if production drops to a point where you have to let people go and pay them damages.

Even if production is not affected, anyone’s job could be at risk after a cyber security breach. When these types of situations occur, people can be fired for not making sure there were enough cyber security solutions set up in the first place.

Enterprise Security Systems: The Most Important of All

As sobering as it is to read the above description of a cyber attack, an enterprise security attack could be even more devastating. If your technology infrastructure goes down, that also means your ERP will go down as well. If an attack occurs, how would your company function? How would salespeople enter orders into the system? Having the proper enterprise security solutions in place will be vital to your company’s future.

The Emotional Impact of a Cyber Security Attack

Beyond the scope of the technical aspect of an enterprise security breach is the emotional impact it can have on people. Whether it happens within your organization or to a vendor, a cyber security attack will affect your team. The controllers, the salespeople, and the accounting people are all just trying to get their work done, and a cyber attack can create an environment of stress and fear. This can rattle people and affect them in the office as well as at home, so it is vital to recognize the effects it can have and take actions to address workplace morale in the wake of an attack.

The Importance of Cyber Insurance

Cyber security experts often say that there are two types of organizations in the world: ones that have been breached, and ones that have been breached and don’t know it yet.

While it is crucial for your organization to have enterprise security systems and software in place, even those that are prepared may only be able to minimize the damage from an attack. In today’s world, it is nearly impossible to guarantee that your company won’t be attacked by a cyber criminal, but you can mitigate the destruction.

The average cost of ransomware has been on the rise in recent years. A few years ago, an attacker might have asked for a ransom around $500 to $600 per machine. Starting last year, the amount has gone up to the hundreds of thousands of dollars and is heading into the millions of dollars.

When the inevitable happens, having cyber insurance or funds set aside in your budget for ransom will be vital to your company’s survival. Having either of these measures in place will allow your company to pivot and return to production as quickly as possible after an attack.

Hope in Cyber Security: What You Can Do

As frightening as a cyber attack sounds, it is not all bleak news. Despite the fact that there are cyber criminals out there who only want to destroy companies for a profit, there is something you can do about it.

  • Get your enterprise security software in place and educate your employees so that they know what to look for and how to prevent an attack.
  • Identify the most important information in your organization, whether it’s personnel records or intellectual property, and protect that above anything else.

The mindset is no longer: How do you keep the bad guys out? Instead, the mindset now must be: The bad guys are in your network. How do you protect your data from getting stolen? If an attack comes in, you need the ability to spot it, contain it, and get rid of it as soon as possible.

Whether you have never had an enterprise security attack, or you have experienced one and understand the difficulties in recovery, always be prepared. The next cyber attack can come at any time, but the more preparation you have, the less damage it can cost your organization.

Get the Free Implementation Guide

Very special thanks to James R. McQuiggan, CISSP at KnowBe4, for helping us with this article and participating in our video and podcast.

Narrator: This is The ERP Advisor.

Today’s episode: The Brave New World of ERP Security.

Juliette Welch: Shawn Windle is one of our speakers for today. Shawn is the Founder and Managing Principal of ERP Advisors Group based in Denver, Colorado.

James McQuiggan is also joining us today as our special guest. James is a 20-year security veteran and security awareness advocate for KnowBe4 and a part-time faculty professor at Valencia College. On today's call we will discuss ERP security best practices and how to protect your valuable enterprise systems. Shawn, James, great to see you, so glad to have you with us today.

James McQuiggan: Glad to be here.

Juliette Welch: October is National Cyber Security Awareness Month. With all the technology each and every one of us use every single day, whether it be for personal or business use, we know security is important to keep our information safe. But it doesn't always seem to take priority. We know it's something we should be doing, but we don't always take the necessary steps to protect our most valuable investments and information. James, this leads me to my first question for our listeners today, what are the first steps to take in building a better security culture at your company?

James: Thank you very much, Juliette, I appreciate being here and looking forward to a great conversation here with Shawn. Security culture — for me, I look at that as your next evolution of your cyber security in your organization. A lot of people think cybersecurity is an IT issue and it's a technical thing, it's not something I need to worry about working your organization. So, to get culture in your organization, it's got to be something that comes from the top, it’s got to come from the bottom, it's got to come from the middle, it's something that's going to be involving everybody to be able to grow that culture. And a lot of the times you see security awareness or security training going on, it's a once-a-year kind of thing or a one month out of the whole year dedicated to cyber security. I personally will admit that I look forward to the year that we don't need a National Cyber Security Awareness Month because everybody is doing it all the time and it becomes a part of their culture, a part of who they are in the office, as well as outside the office as part of their normal day to day activities.

Now, I came out of the energy space. I worked there for about 18 years for a little German company called Siemens. And one of the pleasures I had, or one of the joys, was going to visit power plants and seeing them get built and work on the control systems there. But one of the things that happened every time I went to a power plant was there was a health and safety training exercise. And you were taken through either written training or video, whatever it was, but it was important that everybody that came into that environment understood health and safety, making sure that there were no near accidents, no near falls. Nobody wanted anybody to be killed because of an accident.

And so that health and safety culture — even in the meetings, you'd start the meetings with a health and safety tip — and I think to get culture into your organization, everybody needs to get involved. Everybody has to have the training. But training is only one part of it because just because you know about the training doesn't mean you care. Honestly, a lot of it comes down to you wanting to get your employees to be involved. You want to get them where they do care about protecting the organization and keeping it secure because a lot of the times their actions are going to be more prominent than what they say or what they actually know.

So, if you're going to have meetings where you start off and somebody has a cyber security tip, then that's a great way to start getting those cyber security norms into the culture of your organization and then letting that work its way outward and people do it on a regular basis, they go home and they see the phishing emails or they're using strong passwords or a password vault, or making sure they're not falling for those phishing links.

So, culture is not a compliance check boxing, it is a marathon. It's not a sprint, it's something that has to be worked on with everybody to be able to promote it within the organization. So, those are just a few steps to get you going.

Juliette: So, it should just be routine rather than doing something after the fact.

James: Exactly. It's you want it to become part of second nature. You know, you're going out for a walk in the evening, and you come to the end of the sidewalk, and you look to the left, look to the right, you're making sure there aren't any cars coming so that you can walk safely across the street. Same thing applies. You get an email, you want to check the link, even if you know who the person is. It's part of that routine that you go through — that second nature.

Juliette: That makes perfect sense and leads me to my second question. Shawn, so you and I were discussing yesterday and today that we are currently providing guidance on some major cyber security incidents that could have been prevented. What can you tell us about that?

Shawn Windle: Well, the first thing I can tell you, Juliette, is on our Monday morning meeting when we started, we're going to be talking about phishing emails, I think to James’ point unfortunately, it is a reality that our clients, as we're advising them on the ERP side as we’ve talked about with you, James. And, you know, you kind of breach that cyber security to “oh everybody's got these potential problems and what could be and that’s not me.” And ERP is different.

I mean, I probably am describing a little bit of my own honest feelings here of recent until we've had some great discussions and like you said, Juliette, in one of the discussions we had, a couple incidents came up that were very apropos to, unfortunately, this month right and it's sort of like one of those things you don't really want to talk about, but it is important for the folks that are listening to this podcast. I think that was something that the four of us with Shaun Orthmann who produces these discussions, we really wanted to folks that are listening to understand this point, because it happens.

So, we have two different incidents that our clients are going through that have really made a big impact their operations. One of them is a manufacturer that we're working with, they're in the process of implementing a very robust, industry-specific manufacturing application. I won't get into all the specifics, but the implementation’s been going on for a while, the client knew that they needed to get out of their custom systems that run on Windows machines, so we started a process — a nice evaluation process — started the implementation and after a while they called us and said, hey, we need some help getting some implementation done.

And we went in and kind of figured out where they were in the implementation, they needed to validate some requirements so they kind of took a step back and we're working through that process. And then a couple weeks ago — boom — they got hit with a cyber security attack where I don't know all the specifics of it — James you probably know more — but it sounds like basically somebody clicked on an email that then some kind of code was brought down on to a server on the other side of the firewall within their organization that once that code gets executed to propagate across all their machines.

And when I say all their machines, I mean, all of them, all of their servers, all of their laptops, desktops, everything. It was a Friday I believe it happened and then on Saturday was when they discovered this issue. So, they spent most of the weekend, of course, trying to remove what they could and got some of the virus instances — I'm sure there's a more technical term — kind of wiped out, but not all of them. So, and they restarted some machines then all of them got it again.

So, I mean, it's really been a really difficult situation. I think our client has been unbelievable in how they've responded, they brought in the right cyber security team — I actually reached out to James, I was sending a note to him on LinkedIn. I mean I offer to anybody who's listening to let me know anytime if they need anything, so if they ask me about cyber security, I'm asking you. But it really was one of those times where it's like, I wish I could do more for my client. So, what did I do? I reached out to the expert. And then that client brought in a very specific, very technical team to diagnose what was happening and get some insights into how to solve it.

And then they actually brought in another team, more of a desktop server support company to basically remove the old devices, put in new devices where needed, as well as clean out and restore the rest of them. So, meanwhile, of course, the ERP implementation — whatever — we have to get our orders in, and we've got to keep the business moving. So, the reality of that particular incident was the business did slow down significantly because of the —thankfully as a manufacturing facility they could keep producing but now they're writing down the orders and they're large numbers and they're tracking IDs and everything else. So, the risk is still significant, but they're working through it, they've got the right partners. That's the one can I've seen, James, you have to have the right partner in this circumstance to get through it.

So, fortunately that one's gone pretty good. And then the second one which is of a completely different nature is as, as you know, Juliette, and James as you've learned about us, we work with a ton of different kinds of clients across lots and lots of different industries and they're mostly mid-sized organizations that are really busy but need enterprise apps and want an advisor.

And that’s us, we'll go in, we'll figure out that industry and we kind of do we have tons and tons of industry experience that's very diverse but one of our segments that we work with are nonprofits. And in the nonprofit space there was recently one of the more prevalent organizations — and I won't mention any names, but it's quite easy to find — was hit with a sort of spiritual attack as well, so that impacted many companies that are running their application.

So, this is a cloud-based application that got hit with cyber security. So that's really, really interesting, because a company decides to move to a platform a cloud-based solution —either they decided to take the application that they've license and put it in the cloud or they're running an application just resides in the cloud, whatever a cloud means. That's why we hammer the heck out of every vendor to understand what their cloud strategy is. But unfortunately, especially from a nonprofit standpoint, where those clients are usually a little less tech investment wise. That's not something they're putting in money and they’d rather literally saved the world like most of our nonprofits do, whether it's energy or human services or frankly, bathroom facilities in really third world countries, we have a lot of clients that are out there making a difference around the world.

So, we know we don't do enterprise apps. Well, we're going to pay you, vendor, to maintain and host and secure our instances and then bam, this particular vendor hit. So, as we go through this call — we may be a little later with this call if there's enough content. But I just want to put it out there that this is very, very apropos to every company that's listening, to you folks who are listening to this call that you really do need to think — I think James said it perfectly, don't cross the street without looking both ways. Don't invest in a bunch enterprise apps without at least thinking about what are we really doing for cyber security?

And then as soon as somebody who's not like James, but it was more technical, say, “Knock that off. Tell me exactly what I need. That's it. Tell me what I need.” And then do it. You're going to be better off because you will get hit by a bus. That's what we're seeing in the market. Unfortunately, it's very real.

James McQuiggan: You touch on a couple things there, Shawn. First of all, with that first company — there's a saying we have in the industry that basically goes there's two types of organizations in the world, ones that have been breached and ones that have been breached and don't know it yet. So, it is rather unfortunate as it sounds. We joke about it. But a lot of the times, people aren't prepared for those kind of attacks. And if they are, they're the ones that are able to type able to minimize the damage that end up impacting them because when you get hit with ransomware in your organization, I hope that you have either cyber insurance or you have line items in your budget because right now the average cost of ransomware has been going up a lot this year.

In 2017 when it kind of started taking off $300-$600 a machine is what they were asking for. Now, starting last year, we're into the hundreds of thousands and working our way up into the millions of dollars because what the cyber criminals are doing is they'll get into your environment — and we'll talk about how they do that — but when they get into your environment, they are discovering what organization you are and they're researching that organization and seeing how much money this does this company make every year? Do they make a billion dollars? Do they make $50 million? Do they make half a million dollars? And then they go after a percentage of those profits, that's how they're now gauging a lot of the more sophisticated ransomware attacks. They are looking at the profit margins and seeing how much money can you really spend? Because your defenses aren't secure enough.

So, now you're going to have to pay, and that's the mindset that they have. So, you need a line item almost in your budget for okay can we handle whatever percentage of our profits for having to pay a ransom? On top of that, you're now looking at downtime. You're looking at loss of revenue, loss of productivity, possible damage to reputation, possible damage to employees because if you start if you end up losing money because you can't make money, even if you're doing things manually, and you can't bring in the revenue that you're expected, now you may not have a need for all the resources of the employees that you have. So, you may end up having to let employees go because your brand has been damaged because of the ransomware attack.

There was a MSP, a managed service provider that provide ID services to companies, they got hit a couple years ago. And when they did, their profit margin went from $560 million down to like $270 million. It took a significant hit, they still stay in business, but they took a big hit. Look back at Target years ago with theirs — people still shop a target — but they took a hit over that first year. The CEO was let go — people lose their jobs over these kinds of things that are coming in. Which kind of brings to the second point with the other organization you talked about where they're using the cloud — and for us, the cloud is just somebody else's computer, whether that's with the giant bookstore in the cloud, Amazon, or you're using Microsoft or whatever other cloud services out there. It's essentially running on somebody else's computer and so when you're working with those third-party companies, you have to be able to do an assessment to make sure that they are following certain cyber security protocols and standards, making sure that they are protecting your data because every company out there will tell you we take security seriously. And I have no doubt that they do.

However, the question then becomes how serious are you taking your security? What are you doing within your organization? What security culture do you have within your organization? And a lot of people will define that differently, but one of the important things to do is to be able to go in and do that trust but verify. I think Ronald Reagan said it years ago, auditors say it all the time: we trust you as an organization. you're in it to make money. You want to be profitable. You don't want to get hacked. But what is it that you're doing to make sure that you are securing our data or your applications and you're providing us that service? And so, then you start looking at vendor questionnaires and how reliable those are, whether you use another third-party product, a governance risk and compliance tool that allows you to do that vendor questionnaire so that you can do a proper assessment to make sure that that organization is going to be able to protect your data because a lot of the time, people don't know what questions to ask, and so maybe that's where you bring in a third party to help you with that.

So, overall, there's a lot of security — cyber security is in a lot of different aspects, a lot of different facets, whether it's making sure your endpoints are protected, making sure that the data and the systems are coming into your environment are secure, making sure the humans are secure.

Juliette Welch: So, James, with all that said, what would you say is the biggest security risk we face? And can you walk us through an example of how something like that could happen?

James: The biggest security risk that we face — there's two. And the first one is a lot of the time people don't know what they have to protect in their organization. For me the first rule of security is you've got to know what you have to be able to effectively protect it. If you don't know what you've got, you can't protect it. That's a lot of the times we've seen data breaches that have been going on because organizations are putting data in the cloud and they're not securing it properly.

And so, the first thing a lot of the time is they put it out there, they have systems, they don't know about it, those get hacked and then end up organizations end up falling into a data breach. The second aspect — and I'll go deeper in with this one — is the human element. Phishing is one of the top attack vectors that cyber criminals are using to gain access into organizations. A lot of people — cybersecurity people say it — I've heard lots of people say it, but they'll say that the human is the weakest link in your organization. Okay, I will agree to that with a caveat, the fact that they are the weakest link because they haven't been educated, they haven't been informed, they haven't been made aware.

If you can educate your employees and make them aware of the dangers of what going on, then human beings are smart. We've got pilots that fly us in airplanes to go from one side of the country to the other. They're not completely on autopilot — I'm sure most of the time they are — but in a car, we're driving, because we know how to get from A to B, we're not relying yet on those autonomous vehicles. So, the human element is, in my opinion, probably one of your strongest assets that you can have in your organization. Granted, if they're not educated and they're not made aware, then they are going to succumb to those phishing attacks.

And so, when a phishing attack happens usually the cyber criminals, they have — the very sophisticated ones — and we'll look at them. They have all the same technology and systems that you do as an organization in their environments. They have set it all up with the different email gateways, the different technology devices to block spam, the same antivirus software, they're all running it in their mock environments, wherever they are in the world. And they put together a phishing email and they send it through all the different configurations and different systems that they've got and if it goes through, they go, okay, put that one aside, that one works if it doesn't go through, they scrap it. And they're running through all the different email scenarios and configurations that they can do. So, they build up their repertoire of those phishing emails and sometimes they'll create what we call spear phishing emails where it'll be dedicated for a specific organization.

So, a lot of times they'll use spearfishing if they want to get inside an organization. So, if it's — well I don't know the manufacturing company — but manufacturing companies are big targets for spearfishing campaigns for a lot of the reasons because the cyber criminals know that if they target them and take them down, they're going to pay the money to get back operational because without the systems, they're not going to be able to make money. So, they'll send in that spear phishing email that they know has worked through the different technology. And they'll send a bunch of them through, and they find the email addresses online. A lot of the time people register, for conferences, it's very easy to do a search online for the domain is for that particular company. It's very easy. There are tools that are free that the cyber criminals and anybody can use to harvest essentially the email addresses that you can find online.

And so, they collect up all those email addresses and launch their spear phishing campaign against that Acme company and they'll make it targeted specific for that company. So, for example, let's say the day before or the week before a new CEO is hired and started working at that organization. They will send a spear phishing email that will pretend to come from the CEO, they may take the Acme company address and create their own fake domain where they might reverse a couple of the letters because the way our brains read is from the from left to right and as long as we see the first few letters and last few letters, we understand what that is, we may not read the middle ones. So, they'll create a fake domain, transpose the characters, and send that email pretending it's from the CEO that says, “It's my first week here, having a fantastic time looking out over everything we need to make some radical changes in our organization to be successful. We're going to make changes to the benefits. We're going to add new daycare in the building.”

Things that will generate either fear curiosity or excitement, where the employee would be like, “Hey, we're going to have a daycare, cool. I have to check this out.” And they'll click on that link and open up the attachment — it sounds too good to be true, it usually is — but they'll click that link.

So, I'm going to pause there for a second and have you imagine your home. If you were to discover that burglars in the neighborhood were breaking into homes — they were going around that they were ringing the doorbell, see if anybody was home. Nobody was home, so they go around back smashing the window and break in to steal electronics and get away. If you had heard that they were doing those kind of burglaries, then you would take the necessary steps to secure your home. You'd maybe turn on the security system or have motion sensor lights. You could have cameras mounted, maybe even fake ones that just have a little LED. Those are the deterrents, that if a burglar goes to break in. They will walk away. They're like, “Oh no cameras and motion sensor lights.” You could even have a beware of dog sign, something so simple as that in your front window. And your doorbell when they press it you hear the sound of barking dogs, even though you might only own three cats but that barking dog they go, “Okay, I'm not going to break into this home.” But you have that awareness so that you take the right steps to protect your home.

Alright, off pause. That phishing email that comes in and you click that link, think of your home. You've got all that security on there, all that technology. But if the doorbell rings and somebody opens up the door and lets that person in and you don't know who they are, they essentially are now breaking into your home. When you click that link that's the same thing as opening up that front door, you are letting the bad guys in. Unfortunately, you're not seeing them physically walk in the door, you are now connecting to their server in the cloud or out on the internet. And they may display — whatever it is — it might be the company website, it could be something where they want you to log in and then they steal your user credentials. But they're going to bring up a web page, all the while, what's happening is a file is being downloaded onto your computer. It's what we call a dropper file. And so, it gets downloaded onto your system and then it's taking over your computer, but you don't know it. It's happening all behind the scenes.

They're able to execute programs without you knowing about it and it automatically happens as soon as you visit that website. What that dropper file then does is it will then start looking at the network. What other systems are there? It will also make a call back, what we call to a command-and-control server or a C2 server — that's another server in the bad guys’ lair — we’ll say cyber criminals lair — where they're now downloading more information because, in essence, you've now opened that door and they've permanently kept it open for them to be able to come in and out. They'll get sophisticated enough that they will get it on your network, get around to the different systems, look for the main server that controls all the user accounts — what we call Active Directory and windows — and they will then get in and create their own user accounts, they'll figure out the VPN or how people connect remotely and create their own accounts so they can now come back in freely without having to come in through that original laptop.

When they do a ransomware attack, a lot of the times now what they're doing is they're looking for all the data, they're looking for intellectual property, they're looking for personalized personally identifiable information (PII), and they're looking for all that — whatever they can get their hands on — and exfiltrating it, they're sending it out back to their servers either during regular business hours when it looks like regular internet traffic because that's what it is. And so, all the data is going out. And then when they're done, and they're ready to hit you with it, then they launched a ransomware attack where all the files have been propagated on the servers. And they encrypt all your data. They leave the operating system running because they need you to reboot.

Sometimes they’ll wipe that out so that you end up shutting down, they're taking that extra strength extra step to cripple you and hurt your organization a little further, depending on what you do or what they're looking for. What they will leave behind is a note, they leave that ransom note where you have to go and visit a website using what's called a tor browser, which stands for the onion router network. It's an anonymous network where when you're surfing online, they don't know where you're coming from. But it also hides them as well. So, you go visit their website and you enter in the code and then they give you the information of how much bitcoin they want, because all payment is done in bitcoin.

They don't want wire transfers, they don't need PayPal gift cards. They want the money transferred in bitcoin. And right now, Bitcoin is upwards of $8,000 to $10,000 for one coin. And so, depending on your profits, depending on how your organization does will depend on how much they asked for. The other thing they'll do is then put a time limit on that; they will say you have 72 hours to pay us. To do any type of backup — data retrieval backup doesn't take 72 hours it takes several days. So, you are now put in a very difficult position. Whether you're the CFO or CEO, but you as your organization have a very difficult position, do we pay? Do we attempt to restore from backup? What do we need to do next? And if you do decide to pay, you've now if you don't have one you got to go get a bitcoin wallet and you got to register for that and you got to sign up and then you got to put money in it. That takes at least 72 hours.

I've gone through and done it myself just to have the understanding of it. So, what ends up happening is you now have to communicate with the attackers, and some of them have some really good chat line setup where you can communicate with them. And negotiate to say, look, you know, we can get the money, but we need more time. Okay, we'll give you another 24 hours, but it may raise the price. Other times they can be negotiated down there are organizations out there that will come in when you bring them in, they will negotiate with the cyber criminals for you. A lot of the time these cyber criminals, they are in it for one thing, money. If they can't get the $15 million out of you, they might take a million because the amount of effort and work they've put into this Is only a few hours. Now, a lot of the backend work developing the code, the ransomware and all that may have taken a little bit longer, but they've used this successfully in a lot of different locations.

So, they're making a lot of money out of it, they hit the $15 million knowing they can be talked down kind of like a car dealership, you know, you go in, you got price, and you want to try and talk them down. And so, at that point, once you've gone through and had that conversation and figured that out, then you either pay or you get the FBI involved and you're doing your recovery at that point. But this is a, like I said, a three to five to ten day recovery time before your backup to 100% that you were originally. It's never any fun. There are people that I know through other colleagues that there have been people that have worked on these cases and have done like 15,000 of these over the years. Yeah, it's incredible; it's profitable. Phishing works, and that's kind of why that's got to be the number one biggest risk that we face.

Shawn: Oh my gosh.

Juliette: That is scary.

James: So that's part one. Let me start —

Juliette: Oh my gosh, trying to digest that in and of itself is pretty frightening to think. All the information, investment, and valuable information everyone has in their business is unbelievable.

James: So cheesy plug — KnowBe4 website — look for the ransomware rescue hostage manual, tells you all about it. There's my cheesy plug.

Juliette: Perfect. So, Shawn, I'm going to ask you a quick question as it relates to ERP. What aspects of cybersecurity, do you feel are the most important as they relate to an ERP system?

Shawn: I mean, James kind of laid it out, that if your “system” goes down your technology infrastructure is being hit, but also means your ERP. So, whether you use it just for financials, being able to pull together information and understand where your organization is financially, or your human capital management systems. I mean, imagine being hit during enrollment period that's coming up for a lot of our clients and employees can enroll for benefits. Well, we can wait. We can do it by paper. Okay, fine. But then what about the manufacturing floor that's trying to track work orders from beginning to end, raw material, adding labor? What's the next step of the manufacturing process? No system — we can still manufacturer, like the client said. Now you can kind of do some mitigatable steps, there are some mitigatable steps.

But what about things like ordering when you need your salespeople to go into an application and enter the order and it doesn't work and you can't get to your system. There's no emails. There's no contact list. There's nothing. So, people are stuck with whatever they have to get their job done. I mean, it's sort of like going from where we're at now with business process and automation to where we were 100 years ago. You’d just write it down. We're not using rocks and chisels to do things or abacuses to add. You have your phone, you can use that. But the efficiency and the organization just went from 100% down to 5%, just like you said, James, they’re not making money and — but I think the other the other impact is — and I’ve seen this with a client we are working with now — is it rattles people a lot. I mean, your employees, the emotional impact of going through one of these breaches, whether it happens directly to you or to your vendor that is running your accounting systems. Just the controllers, the accounting people, the salespeople, all these real people that are out there trying to get their job done and now that can’t — it kind of freaks you out.

It's sort of like COVID. “Ah, no, I can't go out to the grocery store. I'm going to die.” Like the news still kind of pushes that a little bit. There's realities. There's risks there for sure. And I think that's what I like about what James is trying to share with us here and I hope folks are hearing that it's not this bleak, crazy world that you're going to die, that your systems are going to get taken over, and it doesn't have to be that way. Just like the big security sign that sits outside of your house or a sticker or maybe you do have a security system or cameras — I mean, everybody's got a little ring thing these days — or whatever it is, just a couple little things like that to protect one of your assets and your organization. It's one of the most valuable things which is your enterprise data systems.

And we're going through eight implementations right now amongst our team and I think about the work, and I think about how hard — there's one plan in particular in Colorado where we're two weeks away from go-live and if they got hit by something right now and they got shut down, the amount of effort that's gone into just getting that software setup and getting ready for go-live is just — it just devastates. Like I'd pay the ransom myself — don't get any ideas anybody listening, I got like five bucks in my wallet. It's not bitcoin — it’s not five bitcoins! But I’d do anything to help a client. They have poured their hearts and soul, literally, into these software systems and getting the data ready.

I mean, all these calls we've done for years, Juliette, about data hygiene with the little scrubber vendor, the little pushy thing with the spray and it said like “data cleansing” or something — it was really cute — you know, to this call, to talking about implementation risks and selection and all this stuff, we all work so hard to get these systems in place. And to think that some — I’ll call him a punk, I want to call them other things — could come in and do some stupid thing like that and be so selfish and to shut down this business they don't even care about. They just care about the money. It's ridiculous, and I get it that not everybody's going to get attacked tomorrow; we don't want that.

But come on, I mean even like I said at the beginning here after hearing James for two seconds, I'm like, “Oh my gosh, what are we doing as a company with those phishing emails?” I get them all the time — like all the time — I think we all do and a lot of them with the Mac especially goes into the junk file. But what doesn't? And I think I know, but do I really know? So, I mean, this is really one area where prevention — it's not even prevention — I love exactly what you said, from my view our clients sometimes spend millions and millions of dollars on these systems, and that's your one system amongst all of their electronic files. We have another client that’s a construction business that has 10 years’ worth of estimates and bids and proposals that they have on their network right now. What happens if those get hit? “Eh, they're old, whatever.” No, the salespeople use those things every day to come up with new deals. “Oh, we can't get to that.”

And all we have to think about is just looking both ways when we cross the road. Okay so like an email comes in — or I think there is an example that was on your website, too, that I love, James, and I think it was about Tesla, where a person targeted an individual at the organization and tried to get in with him and tried to create a relationship to say, “I'll give you half the money if you let us do this.” And the guy, bless his soul, went to the feds with it, went to his management and then they brought in the FBI. And they tracked down those guys, the cyber security or the cyber ransomware a-holes I call them, but whatever. Anyway, tracked them down and then they went to jail for it, and they should have gone to jail. So, there's great stories here.

So again, I think, just like you said, James, your people are everything. Business organizations — I don't care what kind of entity we're working with — it's all about the people. So, the more education the better. Protect your enterprise assets by enabling your employees to think, what's the best thing to protect them and the organization and their group? And I think there's hope for that. That's what I would say.

James: And then to add on to that, when you have identified what is the most critical part of your organization — that intellectual property, those personnel record, the invoices — you want to protect that more than anything else in your organization. If you need to add extra firewalls or at different levels or reduce the number of people can access that, you want to do everything you can to protect that. That's your Colonel Sanders recipe, your Coke formula, whatever. You need to add those extra layers of protection because the mindset is no longer “how do you keep the bad guys out” — the mindset is “the bad guys are in your network how do you protect your data from getting stolen?” So, if an attack comes in, you have an ability to spot it, contain it, and get rid of it. But if they do get in, it's very difficult for them to gain access to your core data, your golden nugget, your crown jewels, critical assets, whatever you want to call them. You want to make sure you've got procedures and programs, policies in place to protect those.

Juliette: Well, it's obvious there is so much more we could cover and talk about, and I think we are going to have to do a part two as a continuation to learn more, because you are a wealth of knowledge, James. Thank you very much. So, I think just to close out today's call, is there anything either you or Shawn can share to help us predict or prevent any new types of attacks?

Shawn: James, what do you think?

James: So right now, with everybody working from home, a lot of the predictions that I'm seeing right now is the threat landscape has grown tremendously. You would think about businesses — the physical walls of that business really is your perimeter for your organization — and with cloud, more and more cloud services, that perimeter gets thinner and thinner and now it's the cloud in the world and everything else. But now, you’ve got people working from home, you've got them on their home networks, and so, the threat landscape is increased even more. People are stressed. People are distracted of working at home. I mean, I've been working from home now for well over a couple years. And when I first started, the distractions were too much. My TV's down the hall — hey, you have to catch up on that latest Netflix show — I wanted to go watch that. But the distractions when you have a family and the toddler wants you to play with them because they know you’re home — those distractions come into play and make people a lot more susceptible to the fake emails or the phish emails that are coming in. You decide to go out and go to a coffee shop and jump on the WiFi there, but it's not really the WiFi, it’s some hacker that's running their own. So, making sure you're using VPN so next year until we really get clear of COVID and people are back in buildings and using secure network environments for those organizations. A lot of companies have to consider those systems as almost untrusted, you've got to have — the concept is called zero trust architecture, it's a trust but verify aspect where you've got a device coming in, but it's got to be authenticated multiple ways. It can't just be a username and password to gain access. So, the threat landscape has gotten bigger for everybody and it's a lot harder for them. And it's going to get a lot harder for 2021.

Shawn: I think, Juliette, if I can add on top of that. First off, I'm not going to be so upset when my bank sends me that little text with the code and whatever else, or, sometimes enterprise apps do it — fine, I'll do it, I'll just copy it in. But, interestingly from an ERP perspective, almost all of our deals in the last three years let's say — except for one big one — went with cloud-based ERPs, whether it was a human capital management, supply chain management, customer relationship management, whatever that package application was, patient care reporting —cloud-based. So, when you talk about trends and upcoming risk that we haven't really thought through, this thing that happened with this nonprofit app provider really showed me like, here we are recommending software vendors to our clients and what if we recommend somebody that gets hit and does the breach? So, we've asked for SOC 1 and SOC 2 reports for years from vendors, but I really think that the bigger companies — you assume they have in the right security infrastructure. And so, okay, trust but verify, that's what you do. The medium size — it's interesting — I'll just throw out some names SAP, Oracle, Microsoft — “Oh yeah, they're fine” — trust but verify. Like, let's make sure. Then you have medium level type companies like a like Deltek, Epicor, and QAD and there's lots of different kinds of solutions that are industry best-of-breed that are Tier 2s is what we call them. Those guys are interesting because often they run in the cloud in a data center that's not theirs. And so, they won't really want to tell you what data center they run their apps in because it's actually a security risk, like, “Oh, what's your data center?” “We're in this data center at this address.” “Great, let's go blow it up and see what happens to that vendor.” But I do think that the savvy CFO, controller, the people that are listening to our calls, directors of IT, CIOs — you have to hammer them, and you've got to get the right reports. We have one client that is a data center and engaged with for selection. They did go to the data center that the very large ERP vendor ran out of to investigate — and maybe do a little reconnaissance — but they did check it out to make sure that all the right controls are in place. So, the medium, guys — you just watch out for the medium guys. That's all I'm saying. The big guys are probably fine, but verify the medium guys, like have the discussion and if you start to feel somebody saying something that's too technical, you say, “Knock it off. Give me the data that I need.” Then you have a smaller vendor that maybe doesn't have that big of a customer base and they're moving their applications to the cloud. You really need to be careful there because there is a certain cost of business that a software vendor has and reinvesting into the product and building the next functionality set, hiring all the people in the developers. It makes your head spin. But what about the cost of cybersecurity and building that security into a solution? You really need to be careful with a vendor that's a little bit smaller that maybe doesn't have the resources to think through that, in which case you really probably should talk to the CEO if it's a smaller vendor — and I'm talking about a company that maybe does $15 million in revenue per year or less and you need to look that person than the Zoom eye and you need to say “What are you really doing to prevent a cyber security breach? Be honest with me and tell me that.” “Oh, we have an auditor that we do penetration testing.” “No, no, like, what are you really doing? Listen, I'm paying out of my pocket to have somebody come in and test my network five times a year to make sure that we don't do something stupid.” Okay cool, that takes five minutes. But you really want to get that verification from these cloud-based apps, don't just expect that the cybersecurity is working as you would expect.

Narrator: ERP Advisors Group is one of the country's top independent enterprise software consulting firms. Advising mid to large sized businesses on selecting and implementing business applications including ERP, CRM, HCM, business intelligence, and other enterprise applications which equate to millions of dollars in software deals each year across many industries.

This has been The ERP Advisor.