October is National Cyber Security Awareness Month, and though all system security is crucial, it could be said that enterprise security solutions are among the most important.
Enterprise Resource Planning software contains delicate and vital information for your company, from financials, customer data, and credit card information, to trade secrets. Enterprise security software should be on the forefront of any company’s security preparations.
Above and beyond any type of enterprise security software or other solutions, the most important protection you have against a cyber attack is within your organization itself.
The first thing you will need to do is build a security culture within your company. Everyone at your company must be involved, no matter what their position is. Creating a cyber secure culture is not a sprint, it’s a marathon. It’s not just checking off boxes to make sure you’re compliant with a regulation and then moving onto your next project.
Cyber security awareness training that happens only once a year is simply not good enough to keep your company safe. Enterprise security needs to happen all the time. It needs to become a part of your company’s culture, a part of who your employees are when they are in the office, as well as outside the office as part of their normal day-to-day activities. Only with constant vigilance do we have a hope to keep our systems safe from attack.
For enterprise security systems and practices to really work, remember that your employees’ actions are going to be more prominent than what they know. You can train and train your people on what measures to take, but it won’t work unless people care. In addition to knowing what steps to do to keep systems secure, people need to know why it’s important.
As much as we can discuss cyber security measures at home and at the office, remember that ERP software system security is different.
Your organization could have the best enterprise security systems in place, but an attack could still happen. These types of attacks are devious: once someone clicks on a link in a phishing email, it can execute malicious code inside your firewall and infiltrate your organization in seconds. Your ERP software could be infected instantly, and rather than taking down just one department or one system, it could take down your entire organization.
Before investing in enterprise applications, find out what steps a given software provider is taking to improve cyber security. Ask the company to tell you what measures they are taking to protect your data. Don’t assume they have it under control — truly understand what they are doing, and make sure you are comfortable with those cyber security methods.
It may seem like a safe action to have your ERP systems in the cloud, but this is not an absolute truth. When you think about it, the “cloud” is just somebody else’s computer, and while many cloud solutions are very secure, they must be evaluated on a case-by-case basis. After you put enterprise security solutions in place at your own organization, you must ensure that any third-party you work with has their own security best practices in place as well.
Even if you know the company, it is still important to ensure they have enterprise security systems in place for their cloud applications. There is an old saying: Trust but verify. You can trust your third-party vendor implicitly, but it is in your organization’s best interest that you still verify what security measures they are employing.
If you don’t know what questions to ask, or what types of enterprise security software a possible ERP partner should have, you may need to bring in an expert to assist.
The first cyber security risk for most organizations is not knowing what data they have and what data should be protected. Be sure you understand and track any data that is being saved in your systems or sent into the cloud. Always know what is being stored and where, and then ensure those locations are secured.
Second, and perhaps the most dangerous element in any organization, is people. Unfortunately, humans can be considered the weakest link when it comes to enterprise security. Phishing is one of the top attack vectors cyber criminals use to gain access into organizations, and people are often the way they get inside.
But there is a caveat to the above. People are only the weakest link when they haven’t been educated. If a person hasn’t been made aware of the dangers and how to prevent an attack, they are going to be susceptible to such an attack. Remember that people as a whole are incredibly intelligent, and they can learn what to do to protect your organization. When cyber security education is encouraged, your people actually become one of the strongest assets that you can have for preventing cyber attacks.
In this section, we will break down exactly how cyber criminals work, from the first steps they take to get into your system, to what happens once they are in, and how they will attempt to cripple your organization. Cyber-attacks include following steps:
Cybercriminals have all the same technology and systems that you have in your organization, in their own environments. They set up all the same spam-blocking software and antivirus software. They test their phishing emails in those environments to see which ones get through. They are always testing and running through different scenarios to build up a repertoire of tools that will work.
An attack will often come from a phishing email, which is more generic and designed to deceive almost anyone. But sometimes a cyber criminal will create “spear phishing” emails, which are designed to get into a specific organization. They will start by looking for email addresses within your organization, using free tools to help them harvest emails online.
Once they have the email addresses, they’ll create an email with a link. For example, let’s say a new CEO just started at your company. The attackers will design an email that looks like it’s from the new CEO and include some exciting news, such as announcing a new daycare facility or maybe even that layoffs are coming – anything that generates enough fear, curiosity or excitement to get someone to click on the link or open the attachment.
Once someone clicks, they have started connecting to the cyber criminal’s server. It may even display what looks like your company website, so that the employee will log in and the criminal will steal their user credentials. The fake website can even look legitimate enough that the employee continues to work, but in the background a file is being downloaded onto their computer. Known as a dropper file, this can take over the employee’s computer without them being aware.
After the cyber criminals get inside, they start looking at your network to see what systems your organization has. The door has been opened, and now they can go in and out as they please, taking their time to learn as much as they can. They’ll look at your different systems, find the main server, and maybe even create their own user credentials or VPN access so that they don’t have to keep using the original user’s credentials or laptop to get in every time. To set up the ransom, they need to find your sensitive data, intellectual property, employee records — anything that they know a company will pay to have back.
Once they have everything needed to attack your system, they launch the ransomware. They will encrypt all of your organization’s available data, but leave the system running because they need you to reboot. Or they may wipe out all the data so that you must shut down – an extra step to ensure they have crippled your organization. Often they will leave behind nothing but a ransom note, instructing you to visit what's called a “TOR browser”, which stands for The Onion Router network — an anonymous network used by denizens of the dark web to keep users locations and identities hidden.
They will give you information on how much bitcoin they want, depending on your company’s profits and how much they have determined you can pay. They will also put a time limit on how quickly you must pay up, which is usually 72 hours.
Now you have to make a very difficult decision: Do we pay? Do we attempt to restore from backup? What do we need to do next? Even if you decide to pay, it takes time to set up a bitcoin wallet and transfer money to it if you don’t already have one. And you may have to ask the hackers for an extension, which could bring the price up even more.
Sometimes you may be able to negotiate the ransom price down. But whether you decide to pay or try to negotiate, in either case you are probably going to need some help, and there are organizations you can contact that will come in and negotiate with the cyber criminals for you.
The cost of an cyber attack can be more than just the price of the ransom to return your ERP systems. You will need to account for downtime while the systems were out of operation, as well as loss of revenue and productivity. There are also the factors of your company’s reputation and the effects a cyber attack could have on future sales. There are also employees to consider, if production drops to a point where you have to let people go and pay them damages.
Even if production is not affected, anyone’s job could be at risk after a cyber security breach. When these types of situations occur, people can be fired for not making sure there were enough cyber security solutions set up in the first place.
As sobering as it is to read the above description of a cyber attack, an enterprise security attack could be even more devastating. If your technology infrastructure goes down, that also means your ERP will go down as well. If an attack occurs, how would your company function? How would salespeople enter orders into the system? Having the proper enterprise security solutions in place will be vital to your company’s future.
Beyond the scope of the technical aspect of an enterprise security breach is the emotional impact it can have on people. Whether it happens within your organization or to a vendor, a cyber security attack will affect your team. The controllers, the salespeople, and the accounting people are all just trying to get their work done, and a cyber attack can create an environment of stress and fear. This can rattle people and affect them in the office as well as at home, so it is vital to recognize the effects it can have and take actions to address workplace morale in the wake of an attack.
Cyber security experts often say that there are two types of organizations in the world: ones that have been breached, and ones that have been breached and don’t know it yet.
While it is crucial for your organization to have enterprise security systems and software in place, even those that are prepared may only be able to minimize the damage from an attack. In today’s world, it is nearly impossible to guarantee that your company won’t be attacked by a cyber criminal, but you can mitigate the destruction.
The average cost of ransomware has been on the rise in recent years. A few years ago, an attacker might have asked for a ransom around $500 to $600 per machine. Starting last year, the amount has gone up to the hundreds of thousands of dollars and is heading into the millions of dollars.
When the inevitable happens, having cyber insurance or funds set aside in your budget for ransom will be vital to your company’s survival. Having either of these measures in place will allow your company to pivot and return to production as quickly as possible after an attack.
As frightening as a cyber attack sounds, it is not all bleak news. Despite the fact that there are cyber criminals out there who only want to destroy companies for a profit, there is something you can do about it.
The mindset is no longer: How do you keep the bad guys out? Instead, the mindset now must be: The bad guys are in your network. How do you protect your data from getting stolen? If an attack comes in, you need the ability to spot it, contain it, and get rid of it as soon as possible.
Whether you have never had an enterprise security attack, or you have experienced one and understand the difficulties in recovery, always be prepared. The next cyber attack can come at any time, but the more preparation you have, the less damage it can cost your organization.
Very special thanks to James R. McQuiggan, CISSP at KnowBe4, for helping us with this article and participating in our video and podcast.