Enterprise systems are the face of new technology that is being adopted by most of the organization. This practice started from larger organizations, later on, small and medium-sized organizations also adopted it. As the adoption of enterprise systems expanded, the threats to its security expanded as well, same that happened to the usage of internet and availability of information. This the paper will discuss what is enterprise system and its kinds. It will also show different kinds of enterprise systems that are being implemented in different organizations depending upon the structure of organizations and their business processes. Later on the threats to the enterprise systems and how those threats should be catered. The paper will focus on cybersecurity of information as enterprise systems are connected to the internet and they have threats to safety and security of information that organization rely on and want to protect it at any cost. Lastly, the paper will discuss how those security threats should be minimized and what practices should be adopted by organizations to mitigate those risks.
Technology has changed the way the organizations operate nowadays and has produced larger benefits to the organizations. Organizations mostly prefer to adopt information systems that provide them with exact information required at the time of making decisions. Information that is the most valuable asset of any organization has to be kept in a way that it is accessible to all the departments in the organization. The technology was implemented in an organization a lot ago, however, it was developed and implemented in different separate departments. It was not enough to cover all the information system as the information was distributed among different departments within the organization.
It was needed with the fast-changing requirements of market need that the information should be available all the time when needed. There was need of information systems that could integrate all the departments of the organization so that information was streamlined all the times in all departments (Davenport, 1998). Considering the same scenario in distributed systems in the organization would not be efficient as the information required by finance department about sales was not accessible.
The information systems adopted by the organization at larger scale have seen a dramatic increase in efficiency, productivity, and profits. Such systems are called enterprise systems that are sort of packaged software that are meant to automate business processes and help in the management of business data. It integrates some of the applications of organizations and protocols that help in integration of business processes. In this way, a lot of individual systems in the organization are replaced with one single enterprise system.
There is number of enterprise systems being implemented in the organization depending upon the requirements of organizations and business processes. It is clear that every organization has its own requirements depending upon its business processes. It is right to say that there is no a single enterprise system that can be implemented in all organizations, but enterprise systems are designed in a way to sort of common business process in most of the organizations and some can be altered as well.
As we discussed earlier that there are different kinds of enterprise systems depending upon the nature of the business and its business operations. Enterprise Resource Planning, Supply Chain Management, and Customer Relationship Management are types of enterprise systems.
ERP or enterprise resource planning is a system that integrates the software applications in the same way as enterprise systems integrate business processes in organizations. ERP systems are said to automate the business processes in an organization and integrate them as well at the core level (Syspro, 2015). The basic motive behind the implementation of these systems is to enhance the productivity of the organization and also boost the efficiency of production. It is attained by ERP implementation as it will ensure the security of information and data stored by the application of efficient security measure. ERP systems enable the organization to plan their workload as it will provide exact information about existing order and also providing forecast information.
The organization is always looking to secure and store all the data because that is most important for making decisions in future. ERP systems are the ones that will translate the centrally stored data into a useful information that can be utilized for making appropriate decisions about upcoming production. These share software application share and communicate data and information related to different departments. ERPs are implemented within the organization that needs the information to be integrated among the different department in the organization. In order to understand, it can be said that the business departments like, sales, finance, management are integrated into one application that provides the information related to every department (Nordmeyer, 2015). The different departments are working individually efficiently with different applications, however, the information and data are being stored centrally that can be accessed from anywhere within the organization by authorized persons only.
An interesting thing about ERP is that it can be customized as well according to the requirement and business processes of the different department. It is common to know that the business processes and operations are different in every organization and the ERP is meant to be designed to meet the business processes of the organization. It is enterprise systems, and if the ERP is not modified relative to business processes of the organization then there will be no use of such enterprise systems. Some of the key benefits of ERP systems are the integration of business process, increment in production, reports and analysis and integration of supply chain (Syspro, 2015). In order to gain complete benefit from ERP systems, it must be implemented in all departments starting from facing to customers back to the production and distribution of products.
Supply Chain Management is said to be the management of supply chain activities in an effective and efficient manner. It starts from material sourcing to the development and supply of product. However, the information flows throughout the system that is meant to manage the planning and resource of material. Supply chain management is based on two core ideas both related to the same concept. One is that the final product that reaches in hands of the customers are representative of collective effort many organization involved in the product production, management, and supply (Handfield, 2011). On the other hand, the supply chain is a very old concept but has been deprived of the attention of organization, as the only focus was within the boundary wall of the organization. Most of the organizations did not focus on supply chain system that could have enhanced customer’s satisfaction resulting in better business opportunity.
It can be said that supply chain management is actually the active management of all the activities involved in supply chain appearing as better customer value and offering a better competitive advantage for the organization. In supply chain management all the aspects of the product are covered starting from production, logistics, sourcing and other aspects. It makes a bridge between different organization allowing the traffic of information and products to flow smoothly. The information flow allows better decision making depending upon forecasting of orders.
Supply chain management can be further divided into three categories that are: product flow, information flow and finance flow (Rouse, 2010). Product flow is the delivery of product from supplier to the customer, information flow is status of delivery of product and order processing while finance flow is credit terms, title ownership agreements, and payment schedules. SCM (Supply Chain Management) is being managed by two different kinds of software, planning and execution applications. Planning applications are used for finding the best ways to fill an order form that in terms use specific algorithms. On the other hand execution applications are used to know the physical location of order, management of financial information and to manage material.
Lastly, the customer relationship management was developed to get to know the customers of organization and their requirements in order to increase sales. Its integration with other departments of organization produces better information about what is meant to be produced and introduced in the market (Nordmeyer, 2015). CRM (Customer Relationship Management) technology is used to analyze and manage the interactions of customers with the organization in order to deduct what the customers are actually looking for. It can be said that it is a way to find out the requirements of customers so that a matching product could be introduced in marketing and make use of competitive advantage (Burnham, 2013). It is done through the life cycle of interaction it deducts information through different channels that occur during the interaction of customers with a company that may occur in different forms including, live chat, direct mail, and social media.
CRM software works as a database to record all information related to customers at one place so that organization could look at customer’s behavior and take certain decision related to product or marketing. Here are some features of CRM: marketing automation, sales force automation, contact center automation and location-based service (Rouse, 2010). Marketing is a most important aspect of any business, CRM achieves this goal by marketing automation by performing repetitive tasks to advertise products. This automation generates periodically promotional or marketing emails to their customers. Salesforce automation is also possible because of CRM software that is the biggest agent in preventing duplication of interaction between customer and company.
The organizations have been looking to provide better customer care services so that they are satisfied, customer care automation has achieved this task with the help of prerecorded voice recording helping customers to resolve their issue to some extent. Another inspiring feature of CRM software is that it enables location-based marketing to target specific audience from a certain region.
As the organization is moving towards the adoption of enterprise systems so that they could get a hold on information and make processes more efficient and make better use of information available to them, security threats are also raising their bars. The information in an organization having enterprise systems is stored in the centralized database and if an unauthorized person gets access to it, he may use the same information against the organization by selling it to competitors or others in the market.
The information as is most valuable asset needs to be protected in every possible way in such a dynamic environment where hundreds of employees will be accessing information every day. The enterprise systems are connected to the internet and they can be under attack if some unauthorized person gets access to the information stored in it.
There are different aspects that ensure the security of information stored in a central database that is; availability, integrity, confidentiality, non-repudiation, and authentication. The information must be available all the times so that it can be utilized when required. It is because if the information is not available when required, then there is no use of such information. However, the availability of information does not mean that the information should not be accurate. If the information is not in the same shape as it was stored, then such information can be more harmful for the organization. The organizations rely more on such information stored with the help of enterprise systems and they use this information for making further decisions.
The information loss for an enterprise can be in millions and the cybercrimes are adding more to this loss every year. The information that is the intellectual property of every enterprise and organization, it needs to be protected by investing rather than facing the loss of millions. It does not only cause loss of money but also the loss of customer satisfaction, enterprise reputation and equity of brand in the market. It was reported in 2010 by Australian Competition and Consumer Commission that the organizations have faced the loss of $63 million because of cybercrimes (Kukec, 2015). This huge loss that enterprises are facing because of cybercrimes has forced them to consider it as core business issue rather than calling it the technology issue. It is because the organizations and enterprises are earning more because of implementation of technologies in all divisions.
Another interesting fact about the security of enterprise systems is that every organization’s computer infrastructure is being attacked thousands of times each day. It calls for more than 345 million security breaches by organizations in past 5 years and we are talking about only in US (Bennett, 2012). If there is a data breach in the information system of an enterprise then it may cost up to $5.5 million on average.
Enterprise systems are holding the information related to all the organization business and processes. It is because the information is always at risk if it is not protected best possible way. It is right to say that the information in enterprise systems have not only threat from outside the enterprise but also from the inside. It is reported that most of the hacks in the enterprise system are mostly because of inside threats. Another inside threat to the information in an enterprise system is little knowledge about using resources in the organization.
The organization that mostly face threats to enterprise systems are because of access from remote software. There is number of other threats that can be mitigated in order to secure the information. However, the first thing in order to secure the enterprise systems from threats is to identify them. External threats are also looking for loopholes within the organization so that they could get access to the central database and get the stored information. The information is meant to be secured in different ways. There are times when the information is secured by securing the center where the database is kept.
We have come to know about the threats and damages that cybercrimes pose to the enterprises each year causing huge loss. The enterprises are required to mitigate those threats and secure their information while it is available as well. It cannot be possible that enterprise restricts access to such information to every man in an effort to make it secure. Such information will not be used that is not accessible all the time and not available when required. So there is need to secure the available information so that it can be utilized by company executives and other authorized persons.
In order to mitigate those threats and find an appropriate solution to tackle these threats, first most important step is the identification of those threats. It is simple to understand that if you are not aware of the threat that you are facing you will not be able to stop that threat or secure yourself. In this section, we will look at different threats the enterprise systems are facing related to security of information. There are many threats that enterprise systems are facing, we will present all those major threats.
Commonly it is known that the threats to information security are mostly from the outside world, however, this assumption is totally wrong. The threats to information security also arise from within organization or enterprise. Such attacks or threats may be intentional or unintentional. First, we will talk about internal threats to enterprise systems security and then find out the external threats. It is important to note that not all the enterprises have these threats, but most of them have some of such internal threats.
USB is one of the major element that can cause an internal threat to the security of enterprise system. There are certain reasons for this attack. USB is a peripheral and it can be connected to any computer within the enterprise. Even the user does not open the USB drive on a computer system, however, it will start working the very next moment it is detected by computer hardware. It was proved by a study conducted by Yankee group in 2005 than 37 percent of attacks on information in enterprise systems involved USB to compromise security (Cook, 2007). Another important study was conducted by a security company to know how the companies are being attacked by USB in enterprises and organization. They scattered around 20 USB in different locations like in park with password stealing malware. It was reported that 15 USBs were attached to the computer systems in the enterprise to see what was in it. As the USB was attached to the computer, the company started to receive a number of password of the organizations.
Another threat to enterprise system security is the use of unauthorized peer-to-peer sharing software that is mostly not allowed to be used in organizations. Employees install such software in order to share files with others and provide an open date for unauthorized persons to gain access to enterprise system database. This trend is increasingly being adopted in different enterprises. 4 percent of enterprise system attacks were caused because of peer-to-peer file sharing software (Cook, 2007). Hackers are also using this software in order to cause a denial of service attack on different servers at the same time.
This software is causing a lot of information to be leaked even by government departments unknowingly. Such internal attacks on enterprise systems are unintended by the employees as they are unaware that their actions can cause huge damages to the organization.
Antivirus programs are installed in enterprises to ensure the security of the system so that no malware or virus could be run on the system. Most of the enterprise has already installed antivirus programs on their computer, but the issue arises when those programs are not updated on a routine basis. It is reported that most of the major vendors of antivirus programs release around 1200 to 2400 updates every week. On the other hand double the number of new viruses and malware are released on the internet.
When the vendors are aware of new virus they release new update relevant to that specific virus. The number of new viruses increases so it is important to keep the antivirus programs updated as there is a new update released.
Users and employees install remote-control software on their computer systems so that they can access their computer from anywhere. Once the remote control software is installed on a computer it gives unauthorized access to the hackers so that they can access files on computer without the knowledge of users. Such software also provides an open way to get access to the network within enterprise system so that they can get into the database and extract all the information installed.
The external threats to enterprise systems are those that are intentional hackers and do not have an authorized access to the network. They work to find out the loophole in the networks so that they can gain access to the network and later on to the database. There are different methods that are used by the hackers and unauthorized persons to gain access to a network. There are a different group of people who try to gain access to the network. They are known as hacker, cracker, phreaker, spammer, phisher, white hat and black hat. There are four major types of attacks on an enterprise system that are: reconnaissance, access, denial of service and worms, viruses and Trojan.
Reconnaissance is some sort of information gathering attack that is meant to investigate the network and look for the ways that can be used to attack the system. It then leads to denial of service attacks. Once the information is gathered in reconnaissance it will lead to the planning of attack and later on the hacker will attack and cause damage to the information system of the enterprise. The techniques involved in reconnaissance are packet sniffers, port scans, ping sweeps and internet information queries.
Another attack on enterprise system is to gain access to a system where the person does not have access or authorized. The attackers gain access to such network with the help of some script or a tool that help in identification of vulnerability and then gains access to the system. Once the person gains access to the database, he will be able to extract all the information that he wants.
Denial of service attack is intended to overload the system so that the intended users are unable to access the system. These sort of attacks are done on the systems so that the information cannot be accessed at the right time and people are unable to get used to that information. Another form of DoS attack is just simply deleting the information on the system so that the system is unable to process the required information. This attack is done using a script and is prior to other attacks.
Another external threat to enterprise system is the application of malicious software that is intended to damaged stored information, replicate it, copy it or even totally delete it. Other purposes of such software are to make denial of service attacks happen. This software is installed on host machines and they do their dirty work. Trojan horses are other forms of attacks by unauthorized persons or hackers that are meant to steal sensitive information from the authorized users without knowing. Such software asks for sensitive information presenting the replication of real screens so that the users enter their information, actually, that information is sent to the hackers who can, later on, use that specific information to log in to the system. Such viruses and worms are working at the backend of the system while the users are not aware of what is being stolen from their systems. This leads to further information leakage and damage if such attacks are not tracked and resolved.
There are security measures that should be taken care of while considering the security of enterprise systems. Some of the enterprise system security measures are basically to ensure that there is no weak link in security. On the other hand, it can be said that there is no way that hackers could get access to the enterprise system. The systems should be secure to the deepest level to ensure the security. It is also important to know that the information should be accessible to authorized persons as well. It does not mean that to restrict to some important information means that no one should have access to such information. If there is no access for anyone then there is no use of such information.
The best practice to cater this issue is by providing separate privileges to separate users that can be defined by the level of information they are allowed to gain access. On the other hand, the employees of the organization should also be properly educated about the practices that they should implement while they will be using computer systems. the education of employees regarding privacy and security of the system is important so routine workshops should be arranged as well so everyone is aware of new security threats in enterprise systems and how they should be gaining access to information stored in the central database.
In order to secure enterprise system so that all the information in it totally secure, we need to look at the basic pillars of information security. There are four basic pillars of information security that are, confidentiality, integrity, availability, and authentication. We look into each of security pillar to ensure that what steps should be taken in order to secure information stored in an enterprise system.
The term confidentiality normally refers to the privacy of information that is related to individual or a company, and that information should not be leaked on a public platform where people have easy access. However the term confidentiality is more than that, if a company hold information of a customer, it does not mean that all employees in the enterprise of the company should have access to view that information, but confidentiality ensures that such information should be available or visible to an only limited number of people. In simple words, it can be said that confidentiality means to prevent the access of information to unauthorized persons (USNA, 2015). Hackers are always looking for ways to gain access to such information that is confidential, but only the hackers are not the ones that should be kept away from system access there are agents of hackers as well (Smith, 2005). Here agents of hackers mean some applications that most people install and they do the rest of work giving access to hackers for confidential information.
The issue of confidentiality is in all kinds of business, either it is small size business or an enterprise as systems contain files and information stored. Securing those systems require two type of security, one is software security and the other one is physical security. Physical security is important because if hackers gain access to servers physically then they find out a way to gain access to the database as well. It is easy to secure servers in enterprise physically by restricting access to the server room to only a few authorized persons. On the other hand, it is hard to provide physical security to each of computer system in the enterprise, however, the information on those systems can secure by using encryption methods.
There are other ways that information can be extracted from enterprise systems; the hackers can sniff packets being transferred between different computers through a network. On the other hand, if the transmission is being done with Wi-Fi router then it is easier for hackers because they just need to be in the range of wireless router to sniff packets. This packet sniffing is secured with the use of IPsec that ensures confidentiality, integrity, and confidentiality of network packets (Smith, 2005).
Another important thing about information to be secured is that it should remain in its original form while it was record unless modified by some authorized person (USNA, 2015). The information should be stored in enterprise systems but the most important thing about that information is that it should be in its original form. The information that is modified or deleted by some unauthorized person is also a threat to information security (Smith, 2005). It is because if the information is not in the same form while it was stored, that modified information can lead to damages for the company.
Malicious software can also compromise the integrity of information because they are able to modify the information or even delete it once they make their way to the enterprise systems. The best thing to ensure the integrity of information is by application of certain techniques like encryption and other authentication methods. The information should be restricted that it could be view by authorized persons only. On the other hand, when there is need to modify information, only authorized persons should be given the right to modify or delete information.
Integrity for the security of enterprise systems is not limited to only information stored, but it is also applicable to software code scripts as well (Smith, 2005). It is better to implement different security measures like an updated anti-virus software that could resist such malicious software to be installed on the system and restrict them from getting unauthorized access to system and database.
Availability is a very important aspect of information in an enterprise system, it is because information is stored in the database so that it can be accessed and used by management to take decision for enterprise (Morrissey, 2010). If the information is not available at the time when it is required then there is no use for such information. Hackers mostly restrict this access to the system so that the intended people are not able to extract information from the system. It is also called denial of service attack that we have already discussed. Here is the challenging point where the enterprise system has to ensure availability of information with its confidentiality and integrity. It is good to take backup of information in an enterprise system, however that backup is for permanent data loss but the availability of information should be intact. Enterprises should focus on ensuring availability of information by considering alternate methods like creating data center on more than one location so that even if one center is under a denial of service attack, the traffic is routed to other server ensuring availability of information.
Authentication is another aspect in ensuring the security of enterprise system that only authorized persons can get access to information. As already seen that there are certain ways hackers can get into the system by extracting their sensitive information including username and password. Once someone gets access to the system he will be able to damage the whole system. In order to ensure the authentication of the user accessing the system, two way or three-way authentication systems can be implemented. It means that user will not only have to provide its username and password, while he may be required to use biometric authentication system as well to ensure his authenticity. In most of the enterprise where sensitive information is stored, biometric authentication systems are also installed. It will be best practice to be adopted by enterprise systems to ensure the authenticity of user accessing system and information.
Enterprise systems are the best the organizations can adopt until the time in order to excel in their business market and to ensure increase its efficiency and productivity. The information technology comes with countless benefits enabling organizations to progress and find new ways to enter new markets. It has helped the organization by better management of information to forecast new trends in the market and they can make decisions either to introduce the specific product in the market or not. Beside these countless benefits, there is a huge number of threats that is always lingering as an alarm to the enterprise to secure the information. The enterprise systems do not need to only implemented security practices and secure the information, while this security measure is needed to be updated every day and a proper check should be kept to see the attacks being made on enterprise systems and how to prevent those attacks. On the other hand, to prevent internal threats to enterprise systems, there is need of proper education of all employees about the use of computer and other applications. There is need to focus on the information systems in enterprises to ensure progress of enterprises.
Bennett, A. (2012, 10 3). Enterprise Systems and Security. Retrieved from Smarter Computing Blog: http://www.smartercomputingblog.com/enterprise-systems/enterprise-systems-and-security-3/
Burnham, J. (2013, 1 4). What is CRM? Retrieved from Salesforce: https://www.salesforce.com/blog/2013/01/what-is-crm-your-business-nerve-center.html
Cook, R. (2007, 6 19). Securing the Endpoints: The 10 Most Common Internal Security Threats. Retrieved from CIO: http://www.cio.com/article/2438695/infrastructure/securing-the-endpoints–the-10-most-common-internal-security-threats.html
Davenport, T. H. (1998, 8). Putting the Enterprise into the Enterprise System. Retrieved from Harvard Business Review: https://hbr.org/1998/07/putting-the-enterprise-into-the-enterprise-system
Handfield, R. (2011, 1 11). What is Supply Chain Management? Retrieved from SCRC: http://scm.ncsu.edu/scm-articles/article/what-is-supply-chain-management
Kukec, D. A. (2015). Top 5 Security Concerns Facing Enterprises. Retrieved from Enterprise Architects: http://enterprisearchitects.com/top-five-security-concerns-facing-enterprises/
Morrissey, J. (2010, 7 2). Three Pillars of Information Security. Retrieved from InfosecIsland: http://www.infosecisland.com/blogview/4504-Three-Pillars-of-Information-Security.html
Nordmeyer, B. (2015). Three Different Types of Enterprise Systems. Retrieved from Small Business: http://smallbusiness.chron.com/three-different-types-enterprise-systems-73267.html
Rouse, M. (2010, 7). Supply Chain Management (SCM) definition. Retrieved from TechTarget: http://searchmanufacturingerp.techtarget.com/definition/supply-chain-management
Smith, R. F. (2005, 5 15). The 3 Pillars of Information Security. Retrieved from WindowsItPro: http://windowsitpro.com/security/3-pillars-information-security
Syspro. (2015). What is ERP – Enterprise Resource Planning? Retrieved from Syspro: https://www.syspro.com/product/what-is-erp
USNA. (2015). Pillars of Cyber Security. Retrieved from USNA: http://www.usna.edu/CS/si110/lec/pillarsCybSec/lec.html