ERP and Information Security Introduction to ERP

Even though the plans of information security include the prevention of outsiders to gain access of internal network still the risk from the outsiders still exists. The outsiders can also represent themselves as authorized users in order to cause damage to the transactions of the business systems. Therefore, strict prevention measures should be taken to avoid such situations.

The threats of both the hackers have been increased with the software of the enterprise resource planning (ERP) (Holsbeck and Johnson, 2004). By performing acts of deception, the system privileges are neglected by them and take old of the assets which are mainly the cash. Its continuous integration has not succeeded in eliminating the threat of hackers who are either the insiders or enter through the perimeter security.

Considering the financial losses caused from the system-based frauds, errors and abuse by business transactions, new ways to maintain security needs to be generated in the world of integrated ERP (enterprise resource planning) and e-business (Holsbeck and Johnson, 2004).

Present Market Development for ERP systems

The market of ERP went to such an extent of maturation whereby the greatest level of competition in the market actually led to a fall in the level of sales. This led to the ERP sellers shifting their focus towards bringing in new functions such as the CRM as well as the web architectures which specialize in certain services, in order to attract more customers to their products and bring the sales back up. The sad part however is that there is still some security issues that remain intact (Holsbeck and Johnson, 2004).

With the rising threats from the external sources, it should not be forgotten that there are chances of cheating and fraud within the system itself. These insider abuses are rising with increasing speed due to the installation of the automatic systems that are devoted to the management of all the accounts that are to be paid, the benefits received by the employees and the other information that may be very integral for the company (Holsbeck and Johnson, 2004).

Taking a historical perspective and assessing the effectiveness of the ERP security systems, we can see that the systems were quite focused towards the inside threats and they were devoted to giving just a limited control to the workers so that the system keeps working effectively based on the network defenses provided such as the firewalls, detection of any intruder in the system, VPNs and so on. These systems are devoted to keeping out any intruders from logging into the ERP network. However, there is a rising need for an integrated system which possesses various systems and the users that need newer and more effective systems of dealing with such security related issues (Holsbeck and Johnson, 2004).

Gartner goes on to state that, the enterprises need to consider their entire security in the functionality as well as control the overall environment so as to ensure the effective running of the transactions. The analysts have suggested that any vulnerable point in the security system can be taken advantage of, essentially by the insiders so as to threaten the business in various ways (Holsbeck and Johnson, 2004).

While the ERP system is set out on permitting the enterprise to merge in all the information systems along with the countable partners who take care of all the supplies, the users who are authorized rapidly start increasing. This gives rise to the newly formed entries to the systems of the business from external perimeters of the conventional IT systems. The firms need to trust not only the employees of the organization but also the partners involved with the employees in the security system (Holsbeck and Johnson, 2004).

In many enterprises today, the ERP security is initiated on the basis of the user who has full control and can exercise that when the authorized people login to the system with the use of a personalized username and a password. The enterprise has full control to block or allow any individual depending on the level of permission they have and the accessibility extended towards them. For instance, the clerk who has to pay his accounts would not have any accessibility to the inventory or the department of human resources or any such area that is located inside the system of ERP (Holsbeck and Johnson, 2004).

Encrypted data is generally the part of many ERP systems. It basically limits the user from exporting the database. On the other hand, it has no such privacy system that protects unauthorized modules of the system to be accessed by the authorized insiders (Holsbeck and Johnson, 2004).

An important feature of ERP systems is an Audit log. It keeps record of every transaction being made or system alterations. However, the reason behind those transactions is...

Every transaction is documented independently, during which the working behind each transaction, like the events occurring before or after that transaction is made, is not traced by the audit log. After that, for the transactions coming in irregular order, audit logs are sampled by the internal auditors (Holsbeck and Johnson, 2004).
Nearly half of the organizations do not maintain their audit logs through configuration of ERP systems. There are two reasons behind it (Holsbeck and Johnson, 2004):

1. They think that this would affect the performance of their work and it would decline.

2. They do not consider it important.

It is a silent feature of such organizations that act conservative when talk about IT security. In their point-of-view, IT security only manages the layers of conventional perimeter security. Hence, a mid-way between security and performance is adopted which focuses on following two tasks (Holsbeck and Johnson, 2004):

Enterprises refrain themselves from detailing every minute detail of the activities performed by the system.

Only that information is collected which is relevant to the transaction.

Configuration of customized audit reports by system administrators is another feature of those organizations that use audit logs. Those reports employ easy logics to configure "outliers." Outliers are those system transactions that are beyond the following general parameters:

Date and time

Trace and location of the user that is logging into the system

Checks larger than a predefined setting

Customization of these reports is time consuming. However, it manually processes the large number of data points. They are often puzzled with false positives. Manual analysis of every event is required. This is so because audit reports fail in analyzing the event, so it cannot find out the reason for that concern (Holsbeck and Johnson, 2004).

ERP Security Failures

It is a known fact that when ERP security features, as described above, are not fulfilled, them fraud occurs due to which the average business suffer 3% to 6% losses of annual income. A worse scenario is that in which additional losses arises due to errors of duplicate payments. It is noticed that average enterprises make duplicate payments for 2% of the whole payments made. Out of these duplicate payments, almost 10% are lost and never recovered. This results in 0.2% loss of total payable accounts (Holsbeck and Johnson, 2004).

A most threatening fact always stays around which is the exposure of applications to external security threats. Some of them are listed below:

Simple dictionary attacks that breaks the easily detectable passwords (Whitman and Mattord, 2008).

Applications are crowded with buffer overflows until a hacker traces and enters it (Whitman and Mattord, 2008).

Most dangerous form is of the social engineering in which hackers place a trap for the users. They are made fool to divulge their personal information, identifications and qualifications etc. freely (Whitman and Mattord, 2008).

The extreme case of danger is the one in which hackers pretend to be authorized user, enter the system and divert the payments according to their needs and benefits (Whitman and Mattord, 2008).

ERP security failure is encountered in companies which ignores the implementation of control design in their plans until the last stage of performance. On the other hand, ERP projects are generally more than the required available budget and one step back the schedule. For this reason, cost and time consumption is maintained by employing strict internal controls (Holsbeck and Johnson, 2004; Whitman and Mattord, 2008).

Such internal controls are often hard to be followed. This is so because they add to the available tasks resulting in extra overhead which makes problems for the employees to carry out their daily work. This overall affects the efficiency quite badly. That is why most of the organizations make decisions contrary to such severe internal controls (Whitman and Mattord, 2008).

Internal controls for maintaining ERP security have various flaws. One of the biggest flaws is its high cost and large time consumption for those controls. A necessary update must be made continuously in the employees' authorization level in the business structures, for every employee being granted promotion, reassigned or fired. Modification is necessary in various other cases like (Holsbeck and Johnson, 2004; Whitman and Mattord, 2008):

Adding a new business partner.

Creating a new business department.

Entering new market or industry.

In other words, this ever going maintenance of the ERP systems results into resource drain.

One of the latest audit program conducted on various…