Page 23 - Risk Management Bulletin April-June 2022
P. 23
RMAI BULLETIN APRIL - JUNE 2022
opted for daily backups and kept 30 days’ worth of and through virtual private networks (VPNs); another
historic images. Keeping a historic image in a separate is conducting regular vulnerability scans and pen tests
storage network was expensive, but it allowed the to measure how long it takes to spot and respond to
company to better protect its systems. The company attacks. Since ERP systems are so large, automated
runs regular restore exercises in which a random scans can take more than two days, so a best practice
sample of historic backup images is restored. If parts is to do them on a rolling basis for targeted parts of
of the sample can no longer be restored, the company the system, process by process or module by module.
initiates the emergency plan to fight the attack
attempt, thereby also limiting loss of data to a Companies could also use their efforts to migrate their
maximum of just 30 days’ worth. apps and systems to cloud as an opportunity to
improve how they address cybersecurity. Security as
6. Make ERP teams an integral part of code (SaC) has been the most effective approach to
securing cloud workloads with speed and agility. SaC
cyberattack-response exercises defines cybersecurity policies and standards
Practicing how to respond to ERP cyberattacks works programmatically, so that they can be referenced
only if the ERP teams are actively part of the exercises. automatically in the configuration scripts that provision
Too often, ERP teams are treated as adjuncts to cloud systems. If the business, for example, sets up a
cyberattack exercises or not even consulted at all. But policy that all personally identifiable information (PII)
their knowledge is crucial to ensure that the exercises must be encrypted when it’s stored, that policy could
are realistic and test systems across the business. be applied through a process that is automatically
launched whenever a developer submits code,
For example, ERP teams could help to make sure that prompting the rejection of any code that violates the
response exercises test ERP systems’ end-to-end policy.
processes rather than isolated databases or parts of
the systems; that they are based on an understanding During ERP migrations to the cloud, there is a tendency
of the potential effects of an attack on the business to focus on the migration and reduce attention paid
and the processes that are in place to respond; and to the parts of the ERP system that remain on
that they include ways to prioritize responses during premises. Companies may need to combat that
an attack. Without a clear set of well-documented and tendency and continue to allocate resources to regular
easy-to-access reaction protocols, the inevitable patching and maintenance updates to on-premises ERP
confusion of a cyberattack will be exacerbated by the systems.
potential scale of its impact.
No ERP system is hacker proof. But by implementing
7. Be more systematic in hardening sound cyber practices, heightening collaboration with
ERP systems government (for example, with the National Institute
of Standards and Technology and the task forces on
A number of best practices have been established to global supply-chain security established by the US
improve cybersecurity that can be applied to an ERP Department of Homeland Security), and actively
system. One of them is restricting access to the ERP
monitoring ERP systems, companies could potentially
system to users with multifactor authentication (MFA) reduce the threat to their most vital business systems.
21
