The New York Times recently reported on the vulnerabilities of ERP systems. Hackers have sought to exploit old security flaws in Oracle and SAP software to gain access to confidential and sensitive corporate data such as financial records, employees’ personal information, and industrial secrets.
Although Oracle and SAP release security patches on a regular basis, organizations are often reluctant to apply them for fear they might create disruptions in day-to-day system operations. Experts warn against this kind of apathy and a rush to link back-office systems to the cloud.
This post is based on the New York Times article, Study Warns of Rising Hacker Threats to SAP, Oracle Business Software, by Reuters, July 25, 2018. Image source: Shutterstock / Zbitnev.
1. Why are data breaches into an ERP system potentially more dangerous than those into a stand-alone, specialized software application?
Guidance: Discuss the integration inherent in ERP systems. To facilitate this discussion, review the overlaps of the major business functions and the information exchanges among major and support functions. For example, new R&D projects (operations/engineering) need funding (finance), human resources (HR), and may require the use of specialized technologies (IT). The single data base offers a wealth of data on the organization and its partners, making it a prime target for hackers.
2. Explain why organizations may be reluctant to apply security patches as soon as they become available.
Guidance: Security administrators sometimes delay the application of patches to avoid “patch fiascos” such as system crashes, slower systems, and changes in users’ preferred settings. Security administrators may prefer to wait and see whether other users report problems with the new patch. In case of problems, they delay the patch applications until the vendor releases a fix. In other cases, they test the patches on a limited basis before applying them to the entire ERP system. This may cause slight delays but may be worth the risk.
3. Oracle once released a monthly patch batch covering 270 security vulnerabilities. Should Oracle try to fix all the bugs before selling the software in the first place?
Guidance: Discuss the pros and cons of releasing software early without sufficient testing. Pros: early generation of revenue and release of software on promised due date. Cons: negative impact on reputation when customers experience problems, lawsuits, loss of future sales. Also consider the difficulty of uncovering all possible bugs in very complex systems.
4. Explore how hackers’ initial access to the inventory module of an ERP system could have disastrous financial implications for the organization being hacked.
Guidance: Discuss the links between inventory data and 1) product design, 2) purchasing and financial information, 3) supply chain partners’ information, and 4) customers’ information. Access to industrial secrets, financial information, and information on additional hacking victims, i.e partners and customers, could trigger loss of competitive advantage, loss of funds, and loss of reputation. Moreover, employee time spent on recovery might be substantial.