There is often a good deal of apprehension around conducting security assessments on ERP systems, such as SAP and Oracle E-Business Suite (EBS). It’s akin to opening the kimono to your colleagues and management and exposing everything you don’t want them to see. But the first step in solving a problem is acknowledging you do in fact have one. When you first see the results of your assessment, there are a few things to remember.
1) You’re likely not alone. Security of ERP systems has often taken a back seat to phishing scams, Malware, DDoS and other more headline grabbing issues. Other than the IT teams (DBAs and BASIS) managing them, there has been little visibility into ERP security settings and configurations ― so there’s typically little institutional knowledge within the security team around what vulnerabilities exist in the system and how to handle them. However, evidence and data is showing that we’re now seeing ever-increasing attacker activity aimed at these ERP systems and more specifically at the critical business application layer. This means that identifying and getting ahead of vulnerabilities at the application layer is getting more and more important.
2) You’re part of the solution, not the problem. Just because you’re not looking for it, doesn’t mean that the problem doesn’t exist. By proactively understanding where you are, you can get ahead of the attacker, and ahead of your peers. After all, cybercriminals are as opportunistic and as driven by return on investment as any business. Often, when faced with a well-patched and well-configured system, they’ll move on to an easier target where they can get more bang for their buck.
3) You’re helping your organization respond ― not react . Everyone hates unplanned work. It’s expensive, it’s morale draining and it draws away from your core mission. Proactively uncovering issues gives you the opportunity to create a plan to fix things in order of priority, in amongst everything else you need to do, and in line with its impact on the business. Use the results of your assessment to your advantage and the positive impact you can have for your organization on establishing a secure and compliant state for your ERP system.
4) Your scan may come back looking good. If so, this is a good thing! Demonstrating your efforts to look for specific ERP vulnerabilities and misconfigurations that may exist in your environment to your internal and external auditor, compliance people and the IT security team is often time consuming and painful, but also necessary. Auditors are evolving too ― one large IT service provider we spoke to recently changed auditors and remarked how the new auditor gave their Oracle EBS system much more attention than the previous incumbent, forcing some urgent and awkward conversations.
These are all areas where Onapsis can help reduce the agita around your ERP security assessment. In the context of your Oracle EBS implementation and the business-critical application, we offer our complimentary Onapsis Business Risk Illustration , or simply an assessment, that takes a few minutes to set up and quickly gives you an understanding of your current security and risk posture. Seeing these results and working with you, we can remove your trepidation and set you on the way to truly addressing security risk in your business-critical applications. Talk to us today about how you can engage with Onapsis for your own assessment.