Page 21 - Risk Management Bulletin April-June 2022
P. 21

RMAI BULLETIN APRIL - JUNE 2022


             their systems. But companies may still be vulnerable  teams. We often see it split between an operating
             because of lack of focus, lack of sufficient resourcing,  team within IT and a process-design and process-
             or lack of understanding about how best to address  maintenance team within a business unit, most often
             cyber issues. Some companies, for example, have put  finance. This hybrid virtual team is often run like a silo
             their main focus on ERP upgrades and cloud       within each organization, which creates yet more
             migrations, leaving fewer resources available to focus  interfaces between the security team and the ERP
             on cyber. Meanwhile, ERP skills are scarce resources  team.
             and can usually not be replaced by general skills
             available in the IT organization. We have seen many  For these reasons, we find that many tech leaders are
             companies reduce investments in maintaining existing  unclear about where to start and consider the target
             ERP systems, including cyber protections, in     state dauntingly distant.
             preparation for their migration.
                                                              Making your ERP system cybersecure
             For companies upgrading their ERP systems, this could
                                                              There are well-established practices to secure systems
             be time to review policies and potentially upgrade
                                                              from cyberattacks. But the scale and complexity of ERP
             security postures to counter cyberattacks.
                                                              systems mean that companies may need to adjust their
                                                              cyber recipes. While there is no such thing as a
             Protecting ERP systems from                      perfectly protected environment, there are seven
             cyberattacks has unique challenges               activities that companies should consider to better
                                                              detect, defend against, and recover from cyberattacks.
             In our experience, one reason companies have not
             secured their ERP systems as thoroughly as they should
             is that the sheer size and complexity of the task is 1. Identify your most important

             overwhelming. ERP systems consist of a wide array of  information
             elements, including process and workflow, master data  Businesses rarely have a clear view of what—and
             and data warehouse, an underlying computational
                                                              where—their most important data and systems are.
             infrastructure, a large storage network—and dozens if
                                                              Companies that follow best practices, however, are
             not hundreds of interfaces and integration points with
                                                              systematic in identifying which systems matter most
             other IT applications inside and outside of the
                                                              by assessing the varying implications of potential
             organization.
                                                              cyberattacks. Will the attack bring down the entire
                                                              system? Is there a workaround? Is the impact of the
             Exacerbating this complexity is that companies often  attack nominal (such as a delay in sending out bills),
             do not have global transparency into what’s actually
                                                              or will it result in the loss of revenue (such as lost bills).
             happening in their ERP systems, from what data is
                                                              Customer data is often identified as critical. Because
             passing through to what interfaces there are with  that data tends to be stored in many different places,
             various other systems to what transactions are
                                                              companies may need to invest the time to track down
             happening.
                                                              all the places where it lives and identify the interfaces
                                                              that provide access to it.
             Furthermore, ERP systems have interconnections
             between internal applications and external data
             sources and systems, such as a supplier’s supply-chain  2. Create a road map to identify all
             or logistics system. It may be difficult to understand the interfaces with the system
             various dependencies, which means that protecting  Mapping the complexity of the system landscape and
             any single part of the system may not help, because  its interconnection points is a challenge in IT
             each interconnection may be a vulnerability.     management, and it is no less difficult when it comes
                                                              to ERP. A map of all the interfaces of the ERP system
             This interdependency issue is further compounded  with related data flows is helpful. In many cases, these
             because the ERP group is often separate from the rest  interfaces are either relics of legacy programs, little-
             of the company’s applications and infrastructure

                                                           19
   16   17   18   19   20   21   22   23   24   25   26