Friday, 12 February 2021 10:23

Dealing with ERP security vulnerabilities: four tips from Deltek

Caleb Merriman, CISO Deltek Caleb Merriman, CISO Deltek

Securing your ERP system properly is something that must be keeping CISOs awake, given the endless stories of organisations being hacked on an ongoing basis, and with a ton of sensitive data contained within, it has never been more important to enforce and test the security of everything in your company.

Deltek. The company says it is "the leading global provider of software and solutions for project-based businesses", and that it "delivers software and information solutions that enable superior levels of project intelligence, management and collaboration."

Caleb Merriman is the CISO of Deltek, and he has shared four ways ITSM professionals can double down on the security of their ERP systems.

After all, the various applications integrated in ERP systems collect, store, manage and interpret sensitive data from the many business activities, allowing organisations to improve their efficiency in the long run. "This alone", said Merriman, "means that your IT team should emphasise protecting that data."

Merriman continued: "The technical complexity of ERP systems means that security researchers are constantly finding vulnerabilities in them, and businesses that make them internet-facing and don’t think through or prioritise protecting them create risks that they may not be aware of."

So, what are the four tips that Merriman has shared?

Tip 1:

Ensure the application is secure: Even if an organisation is using a commercial application, new vulnerabilities can be discovered over time. All companies, no matter their size, should actively stress-test their applications on a routine basis.

Typically, this means a security team will be necessary to conduct penetration testing, assumed breach testing, and red teaming – a rigorous challenge to test your plans, policies and systems.

Testing like this should be performed at both the application and network layers – using tools such as dynamic application security testing (DAST), static application security testing (SAST), software composition analysis (SCA), or interactive application security testing (IAST) – all tools that a diligent security team should be using!

Tip 2:

Manage access control: ERP systems often contain data that is essential to your business and may be sensitive. Exposure of this data could lead to compliance, contractual, or operational risk.

In addition, ERP systems are often essential to daily operations, so any lack of availability to ERP systems or inappropriate alterations to the system or data could cause significant impact to your business.

Organisations should enforce strict “least privilege” access to ERP systems and data and consider role based access, or “RBAC” and zero trust access models for their ERP systems, as first steps.

Simple measures that can be put in place, such as ensuring all remote access to ERP systems require multi-factor authentication, can make all the difference in the long run.

Security teams should also perform regular access reviews and implement robust user provisioning, termination, and transfer procedures.

Tip 3:

Use Encryption to protect sensitive data: Use of encryption in ERP systems is essential to protect sensitive data and to address compliance and contractual obligations.

Data should be protected at all times – when in transit and when at rest. Using encryption is especially important for any system integrations.

At-rest data should be encrypted at the storage/volume level and database or field level to protect against more than physical layer access. For encryption work, it’s important to use current strong encryption methods – and appropriate Key Management is essential.

Tip 4:

Transfer some of the risk to a SaaS partner: Given the complexity, cost, and risk of providing ERP system security, it is often beneficial to engage third parties to provide additional ERP security.

The speed at which the security landscape is moving, coupled with the challenges of hiring qualified security staff and the cost of keeping security technologies current, often makes it advantageous to work with partners who can provide these capabilities at scale.

While it is unlikely that an organisation will be able to transfer all of its risk to a third party entity, it is often the case that a well-qualified partner could shoulder the majority of the security and compliance risk obligations.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Alex Zaharov-Reutt

Alex Zaharov-Reutt is iTWire's Technology Editor is one of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News