Enterprise resource planning (ERP) systems are the "crown jewels" of a business - customer data, stock levels, orders, production plans, contracts. They also manage financial and operational processes without which the business could not function.
Cyber attacks increasingly target ERP systems. Supply chain attacks rose 42% in the first quarter of 2021, impacting up to seven million people. Threats against industrial control systems and operational technology more than tripled in 2020. Companies need to protect their systems. This is complicated because the systems are complex and interdependent, often separated from other operations.
According to McKinsey there are seven activities to make ERP systems secure.
- Identify your most important information.
- Create a road map to identify all interfaces with the system. Determine which ones are still needed, and eliminate those that aren't.
- Install "middleware" to maintain data flows. This makes it easier to shut down when an interface is under attack.
- Reduce vulnerabilities and data flows where possible.
- Stop backing up hacked systems. By running backups daily or weekly it is easier to spot an attack before backups are encrypted.
- Make ERP teams an integral part of cyber attack response exercises.
- Be more systematic in hardening ERP systems. Restrict access to users with multi-factor authentication, use virtual private networks, conduct vulnerability scans and penetration tests.
The article is at https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/seven-steps-to-help-protect-your-erp-systems-against-cyberattacks.