By Greg Wendt, Executive Director of Appsian

Top Security Trends and Challenges for ERP Systems

As we enter 2020, the criticality of ERP data protection will continue to mold and transform the structure of security strategies across enterprises, resulting in new security priorities, measures and responsibilities for a business. With numerous data privacy regulations on the horizon, and more expected to develop in the coming years, the cost and impact of data breaches will be more drastic than ever. This impact increases exponentially as organizations seek strategies for expanding user access, in-service to maximizing productivity.

While ERP security and compliance strategies were once focused on identity authentication, roles and permissions - the complex landscape of 2020 has demanded organizations take a data-centric approach. This will result in increased investment in fine-grained (ERP) solutions that determine application access based on user context. Security teams will make data a top priority over systems and increase investment in privileged access management (PAM). Dynamically managing access (especially privileged access) is a core strategy for preventing unauthorized ERP activity.

Outlined below are the four key security trends and corresponding challenges that enterprises must be aware of and prepare for. Each is just as important as the other as we enter the new decade.

Enterprises can expect the trend of increased data breaches in ERP systems to continue to rise in 2020.

Since ERP was first designed as an application product, ERP systems cannot evolve alongside an organization's evolving IT environment and are unable to integrate with advanced security initiatives. It is and will remain very challenging to keep ERP systems up-to-date and due to the business criticality of these applications, enterprises are wary of switching them out entirely. In order to secure ERP systems in 2020, business owners must realize the criticality of their businesses' usability of ERP apps. It is the business owner who is more familiar with the users, and as Gartner concluded, it is the user - not the provider - who fails to manage the controls used to protect an organization's data. With the growing number of connected applications running across the company, such as payment and HR apps, business owners need to evolve their ERP systems and go beyond firewalls.

In 2020, there will be a shift of CIO's from systems technology experts to data-centric experts as security increasingly becomes more of a data level issue.

As enterprises become more and more aware that the security of sensitive ERP data is a high priority especially with the rise in data privacy regulations such as CCPA, there will be a rise in CDO roles as well as a shift in the roles of CIO's from focus on systems to a focus on data. This shift will cause many challenges though, as the majority of CIO's do not specialize in the systems aspect of ERP. Yet, the rise in data-centric compliance initiatives as well as the deployment of fundamental security tools such as multi-factor authentication and SSO within the enterprise, will ease the transition from a systems-centric CIO to a data-centric CIO. Additionally, from an organizational perspective, we can expect more CIO and CISOs at the board level as organizations continue to mature and invest further in security and understand the varying operational budgets.

In the coming year, we can expect more enterprises adopting Privileged access management (PAM) as a key IT security project as well as effective access controls due to heightened third-party risk.

PAM is the first, fundamental level of data protection, privacy and compliance when logging and auditing are concerned, and with more and more data privacy regulations on the horizon, PAM will become a key IT security project in the coming year. Additionally, given that the majority (83%) of organisations engaging with third parties to provide business services identified risks, organizations must hold all third parties at greater liability and bound them by their contracts as to data protocols if breached in 2020.

Users will increasingly demand ERP access beyond their corporate networks.

As organizations continue to ask more of their employees, employees will insist that their ERP transactions are available from any location, at any time. In order to maintain high levels of security, ERP transactions have traditionally been available (only) behind corporate firewalls. However, this model immediately causes user push-back, especially as more organizations rely on mobile workforces to scale and keep business running in the coming years. When enterprises insist that employees only execute their ERP transactions when they have access to a corporate network, users will inevitably avoid it which will cause increased strain on an organization across functions. Therefore, in 2020, we can expect more organizations to invest in solutions that focus on enhancing access controls and logging. More and more organizations will begin to understand the importance of expanding access as a table stakes initiative as productivity requirements shift, demanding users to be as mobile as possible.

The number of data compliance laws has already doubled in the past two years, and the Ponemon Institute recently reported that the global average cost of a data breach has risen to $3.92 million. The cost of a data breach is catastrophic to an organization and will only increase from here. Businesses must investment in strategic data security systems to prepare for evolving threats and comply with modern regulations.

##

About the Author

Greg Wendt is the Oracle PeopleSoft security expert. During his 17 year career, he has been recognized as a leader in data security, application architecture and business operations. He served as ERP Application Architect at TCU where he was responsible for TCU's PeopleSoft system and was Chairman of the Higher Education User Group's multinational Technical Advisory Group (HEUG TAG). Greg has led criminal justice and cyber security courses focusing on hacking techniques.