We encounter many clients that, given the chance, readily talk about the pain points of their IT systems. Many have been living with these symptoms for years and seem eerily acceptant of them. Others are unknowingly increasing their cybersecurity threats during digital transformation and ERP initiatives.
Since I can turn anything into a car analogy, it’s like driving a car with a transmission problem. It’s readily apparent that something isn’t working right and may get you clunkily down the road, but you know that a bigger problem lies ahead. It’s not if, but when. This is true of even the top ERP systems in the market.
Both public and private sectors mimic each other in their slow-moving march towards technology or digital transformation – although many would argue government (and especially local government) may be the worst offenders – or have the smallest tech budgets. US government and municipalities are especially slow to adapt, and it’s not unique to the US. I could offer a plethora of examples about the UK and other entities too. The point being: your pain points and recognized operational disruptions may not be your biggest or only risks.
While oversimplifying the topic, older technology is susceptible to intrusion – the result of systems that are not patched or updated (and not all legacy systems can be patched). As a rule of thumb, legacy systems cannot be updated fast enough to fend off security threats. Many legacy systems have been built over decades – and the strategy for, and implementation of, new technology is never straightforward or easy. Cost and/or complexity is a common deterrent.
Keep in mind business risks associated with IT systems happen daily – outages, glitches, etc. But the new “ERP reality check” needs to include the evaluation of a much bigger issue – security susceptibilities. While breaches can take many forms, the motives are typically ransom or theft of data – or both.
Ransomware involving government ERP systems
A recent ransomware attack was successful in shutting down much of the Florida city of Pensacola’s computer network in December of 2019. Ransomware – a more devious subtype of malware – is targeted at encrypting files and data, essentially disabling access to users. It’s easy to see how disheartening and complex a situation like this becomes. Companies or in this case a city, is crippled. The question then becomes whether to pay the ransom or pay to fix it. Neither comes with any guarantees.
Lake City, Florida was also hacked in June of 2019 and chose to pay almost $500k in bitcoin. The result of the ransomware demand payment was mixed. While much of the data was then able to be recovered, the city is still struggling to recover all of it.
The city of Atlanta (attacked in March of 2018) chose not to pay the ransom. With over one year spent to recover – and costs now exceeding $17 million – their digital journey began with new CIO Gary Brantley. Under his direction crucial applications were move to a hybrid cloud solution promising better security. Root causes that may have contributed to the breach were tied to undocumented processes, inadequate password management, and not enough restrictive access to sensitive data. The city was also warned by independent auditors as early as 2010 that the city’s IT department lacked funding for disaster recovery/business continuity initiatives.
When reviewing these examples, the question then becomes: can an entity afford not to deploy updated technology given this growing trend and all the other risks of using outdated technology?
“A digital transformation or ERP implementation is a logical opportunity for assessing your data’s security exposure. Since data mapping is a standard activity of a well-run data migration and integration project, combining a data security assessment with your planned ERP or Digital Transformation Data Readiness activity will save time and money and help mitigate your current data security risks.”
Ms. Daryl Crockett, CEO and founder of ValidDatum
Hacking for Information
While hacking is not a new phenomenon, hackers are looking to steal or leak information. This information is then sold or used to steal identities to gain financial access in a variety of illegal ways. Think sensitive data like social security numbers, credit card specifics, driver’s license numbers, etc. You can see the natural link connecting privacy concerns to the liabilities a company can face when breached.
Company data bemouths like Equifax (who was also breached) can amass enormous amounts of sensitive and personal data. Then there are companies that haven’t really evaluated or identified the data they store as sensitive. There is no doubt that Big Data should be treated differently as evidenced by the ongoing parade of breaches. While SOX, HIPPA, GDPR have the best of intentions in that they require compliance – insurance premiums, legal costs, etc. continue to increase as companies lack a diligent approach. That is, until a breach occurs.
While you will often find ERP “advice” in our blogs such as go-live best practices, please understand that cybersecurity and data security is a major pillar of any ERP initiative or digital transformation. It may be a good reason to prioritize new technology higher on your list.
Contact us to discuss how you might best tighten up your cybersecurity processes. We are happy to be a technology-agnostic sounding board as you continue your journey!