Most manufacturers use an ERP system, but how can CISOs in the industrial midmarket prevent their ERP from being an unlocked door for cybercriminals? Broken down into three phases, this is how ERP cybersecurity should be addressed.
Getting started
Conduct a security risk assessment
The first step to securing an ERP system is understanding where its vulnerabilities lie. Companies should begin by mapping out the system’s operating platform as well as its full architecture, including all third-party integrations and data flows. This helps identify potential weak points, such as legacy modules or insecure APIs.
A formal risk assessment should evaluate both internal and external threats, including insider misuse, phishing, and ransomware. This initial audit forms the basis of any meaningful ERP cybersecurity strategy.
Strengthen access controls
ERP systems contain some of the most sensitive data in an organisation, so access must be tightly controlled. Role-based access control (RBAC) ensures users can only access the functions and data necessary for their job. A critical step is to deploy multi-factor authentication (MFA) across the board and regularly review and remove unused or excessive user privileges. Furthermore, the principle of least privilege should be enforced, especially for administrators.
Ongoing security
Secure ERP Integrations
Modern ERP systems do not operate in isolation and are usually connected to many disparate parts of the business. Every single integration represents a potential entry point for cyberattacks. To mitigate this, organisations should use secure middleware and API gateways, enforce data encryption in transit, and apply network segmentation to isolate high-risk components. Integrations should be audited just as rigorously as the ERP system itself.
Keep ERP software updated
ERP platforms are often highly customised, which can discourage businesses from applying software patches promptly. However, delayed updates leave known vulnerabilities open to exploitation. A structured change management process should be in place to test and deploy patches quickly without disrupting business operations. Whichever ERP vendor you work with, staying current with its security updates is essential. Some cloud providers offer regular deployment of patches if internal resources are scarce.
Use ERP-specific security tools
CISOs may want to look beyond their regular security solutions and consider also using a more specific tool that understands the nuances of ERP systems. Such tools can scan for misconfigurations, vulnerabilities, and compliance gaps in platforms from different vendors. Furthermore, they offer visibility into application-level risks that traditional security software might miss, providing an added layer of protection.
Monitor and Respond
An effective ERP cybersecurity strategy also requires real-time monitoring and a robust response capability. Integrating the ERP system with a Security Information and Event Management (SIEM) platform allows for early detection of anomalies caused by cybercriminals, such as unusual login attempts, suspicious data exports, or internal misuse. Companies should also develop an ERP-specific incident response plan and test it regularly, so they’re prepared to act swiftly when threats arise, ideally involving a Security Orchestration, Automation and Response (SOAR) system and security personnel that can respond and remediate.
Preventative measures
Smart and tailored training
Human error remains one of the most common causes of cybersecurity breaches. Employees who use ERP systems – and particularly those in finance, HR, and procurement – must be trained to recognise phishing attacks by cybercriminals and social engineering tactics. Regular awareness sessions and simulated phishing campaigns tailored to particular ERP users can reinforce secure behaviour and help build a culture of cybersecurity throughout the organisation. This can also help find and foster security champions.
Backup and recovery plan
A robust backup and recovery plan is critical in case of ransomware attacks by cybercriminals or catastrophic system failures. Companies should ensure that all ERP data and configurations are backed up regularly – ideally every hour – and stored securely, preferably off-site or in the cloud. Just as importantly, recovery procedures must be tested periodically to ensure that systems can be restored quickly and without data loss.
Governance and compliance
ERP security is not a purely technical issue and is also a matter for governance and compliance. Organisations must define clear policies around ERP use, including password hygiene, data access, acceptable behaviour, and secure coding. There is more regulation in manufacturing than ever, and more, such as the Digital Product Passport, is on the way. Aligning with these regulations ensures that security practices meet both internal expectations and legal obligations.
For most midmarket manufacturers, a fully functioning ERP solution is business critical. So, ensuring that the solution is secure and doesn’t leave the rest of the organisation vulnerable is equally critical. Using technical safeguards alongside strong governance and user awareness, manufacturers can ensure their ERP systems remain an asset and not a vulnerability.
