See if your information has been exposed in a data breach with our latest free tool Check Now

Vulnerable ERP Systems Could Leave You Exposed

Niek Dekker
4 Min

ERP systems are the beating heart of an Accounts Payable (AP) function.

They are vast treasure troves of valuable commercial data, making them regular targets of financially motivated cyber criminals. A compromised enterprise resource planning system opens the way for hackers to manipulate vendor banking data, so when your AP team processes an invoice they inadvertently transfer the funds to a bank account controlled by the criminals.

In this blog we explore the risks associated with ERP systems and why every CFO should embrace third-party tools that help mitigate those risks.

The Risks from ERP Systems

These are news reports that should ring alarm bells for all CFOs. The time has come to ask yourself: Is my ERP system leaving me exposed to the risk of a data breach and fraud?

How Attackers Targeted SAP

SAP is one of the world’s leading enterprise resource planning software developers. Its ERP platform enables customers to manage their business operations using a range of modules, including finance and accounting applications, through one fully integrated environment.

The integrated nature of SAP’s software offerings enables smooth information flows between the various SAP modules. This allows organisations to achieve significant efficiencies, removing the need for redundant data entry. It also helps organisations maintain consistent controls.

However, with the benefits of a fully integrated ERP platform come additional potential risks. Without the right internal segmentation in place, a breach in any one of the modules can open the way for lateral movements that see cyber attackers access data across the entire platform.

This is a big concern when you consider that more than 400,000 organisations globally use SAP software. This includes 92% of the companies in the Forbes Global 2000, spanning a wide range of industries such as pharmaceuticals, critical infrastructure, utilities, food distribution, government agencies and more.

So, any breaches are likely to have widespread ramifications. That is why reports that cyber criminals are actively exploiting security vulnerabilities in SAP applications should be a wake-up call for all CFOs about potential vulnerabilities in fully integrated ERP systems more generally.

ERP Attack Vectors

The SAP ERP vulnerabilities demonstrate how cyber criminals are able to breach the perimeter defences and then engage in lateral movements across various applications. After gaining access, the attackers engaged in privilege escalation to achieve complete access across the entire system.

This gave them full access to the ERP’s finance and accounting applications. With high-level access, it’s easy to see how financially motivated criminals could manipulate vendor banking data to carry out digital fraud. This paved the way for adversaries to carry out a range of attack vectors, including:

  • theft of sensitive data,
  • financial fraud,
  • disruption of mission critical business processes,
  • ransomware, and
  • halt of all operations.

For Accounts Payable (AP) teams at impacted organisations, the security risk is that the next time they pay an invoice to a supplier, the banking data in their ERP system or Vendor Master File may have been unknowingly manipulated.

This could see the organisation defrauded as funds would be paid directly to the attacker’s bank account.

Widespread Threat

We know this problem is not unique to SAP.

Reports of ERP technology breaches have been surfacing for some years, not to mention attacks on cloud based ERP systems. Recent reports indicate there are vulnerabilities with other ERP systems, such as Oracle and QuickBooks.

Some reports indicate that 64% of organisations using ERP platforms have been victims of cyber-attacks, with financial data targeted in 34% of cases. This clearly indicates that the attacks are often financially motivated and that the perpetrators are seeking to carry out some form of digital fraud.

Clearly CFOs need to be coordinating closely with their organisation’s IT or Security teams to make sure that all relevant patches on ERP systems and software updates are being rolled out in a timely manner. And whilst patching is critically important, it alone is not guaranteed to prevent all breaches.

We know that cyber criminals are hunting for vulnerabilities in digital supply chains as a way to compromise those organisations holding valuable data assets. Few platforms in the digital supply chain can offer attackers as much access to potential targets as ERP systems.

This should be of concern to all CFOs to maximise security measures.

How Eftsure helps ensure your ERP isn’t leaving you exposed to fraud

Whilst you may not be able to prevent all attempted breaches through your organisation’s ERP system, you can take steps to reduce the risk of being defrauded.

With Eftsure’s unique collaborative fraudtech solution, any time you need to pay a supplier invoice, the banking details will be cross-checked in real-time against an independently sourced and verified database of nearly 3 million Australian organisations.

This verification occurs right at the point of payment, giving you confidence that the banking details you’re using match the details used by others when paying the same supplier. This helps reduce the risk that cyber criminals have manipulated the supplier banking data held in your ERP or Vendor Master File.

For a no obligation demonstration of Eftsure’s capacity to help you avoid digital fraud, prioritising data security, contact us today.

The Essential Cyber Security Guide for CFOs
Understanding the threat landscape you face is the first step to preventing financially motivated cyber crime.

This guide arms you with the awareness you need to safeguard your organisation.

Related articles

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.