ERP applications have historically had a reputation for being complex systems with equal parts value
            and challenge. Value in that they can be uniquely tailored to an organization's business processes. But
            challenging because the complexity of those business processes typically leaves organizations exposed
            to a myriad of data security risks. ERP applications house the most sensitive PII, financial, accounting,
            and proprietary data an organization may have. That puts ERP data in the unique position of being
            routinely accessed by many users within the organization (in an authorized manner) while being highly
            coveted by bad actors.

            In short, ERP data is the "crown jewels" of an organization.


            The sensitive nature of these crown jewels makes them an attractive target for a variety of security threats
            like phishing attacks, payroll diversion, zero-day, brute force attacks, and exploit by malicious insiders.
            To  thwart  these  advanced  threats, businesses invest in  NGFW,  IDS/IPS,  VPN,  and  SIEM solutions.
            Unfortunately, most of these solutions monitor and control north-south traffic but have no visibility into
            what is happening within the applications – leaving significant visibility gaps. Plus, access governance is
            dictated by broad-bucketed, static roles that leave many opportunities for risk, as the context of user
            access (different locations, devices, connection points, etc.) changes with various contextual scenarios.
            These variations are the origins of risk.

            This means that control and visibility gaps are widening as business processes become more complex,
            and user access to ERP applications becomes more ubiquitous. These gaps are only exacerbated by
            legacy ERP applications like PeopleSoft, Oracle EBS, and SAP ECC that were not designed to combat
            modern threats. In fact, they were designed to replace manual, paper processes and were designed to
            provide as much access to data and transactions as possible – in service to enabling productivity.

            For  many  organizations,  legacy  ERP  applications  have  been  deployed  on-premise  and  continuously
            customized for decades. The customizable nature is a highly desirable characteristic, but that also means
            there  are  not  many  widely  adopted  best  practices  for  protecting  the  security  at  the  application/user
            interface  layer.  Each  organization  handles  data  security  differently,  and  the  sophistication  of  the
            strategies can vary widely. Throw in the 2020 shift to remote workforces, and present-day ERP data
            security strategies are far from adequate for protecting the crown jewels.

            Moreover, the ERP security threat landscape is dynamic, consisting of application vulnerabilities and bad
            actors compromising data. To keep up with security maintenance, organizations must update applications
            and operating systems and apply security patches – creating an extremely cumbersome process. These
            initiatives require cross-functional collaboration across IT, information security, and HRIS teams, and any
            configuration errors can lead to ERP downtime, costing thousands of dollars every hour. Cyber-criminals
            can leverage these pitfalls and typically can impersonate an authorized user to stay undetected and
            exfiltrate sensitive data. And sadly, organizations can take over two months to contain an insider threat,
            as indicated in the latest Ponemon reports.













                                                                                                              43