Most ERP systems offer data encryption which limits someone's ability to export the database but does not address the need to protect authorized insiders from accessing unauthorized modules in the system.
Audit logs within an ERP system track individual transactions or changes in the system but provide little detail into the relevance of the transaction. With each transaction documented individually, the audit log does not consider the context of the transaction, such as the events that occurred before or after the transaction. Internal auditors can then sample the audit logs for irregular transactions.
However, about half of all organizations do not configure their ERP system to maintain audit logs because they are concerned about performance degradation and they don't think they need it. Regrettably, these organizations believe IT security only focuses on the layers of traditional perimeter security. In a compromise between security and performance, enterprises can avoid logging every detail of system activity and focus on meaningful information that's relevant to the transaction.
For organizations that do utilize audit logs, system administrators can configure customized audit reports that employ simple logic to identify "outliers" - system transactions that fall outside of normal parameters, such as date and time, location of the user logging into the system and checks larger than a predefined setting.
While it's time consuming to customize these reports, they provide hundreds of data points to manually process and are invariably riddled with false positives. Each flagged event requires manual human analysis of the event because the audit reports cannot analyze the event to determine the cause for concern.
When you consider that the average business loses 3 percent to 6 percent of annual revenue due to fraud, most agree that the ERP security features listed above are not working. Worse yet, businesses suffer additional losses through duplicate payment errors. The average enterprise submits duplicate payments for 2 percent of its total accounts payable. Of these duplicate payments, 10 percent are never recovered, which leads to total losses equivalent to 0.2 percent of total accounts payable.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.