“The definition of insanity is doing the same things over and over again but expecting different results”, attributed to Albert Einstein. I am writing this six-part article series about Why ERP Implementations Fail – to help you avoid a failed or a ‘less than optimal’ ERP implementation. In part 1, 2 and 3 we have covered the following topics: 

1. Software is often released before it is mature 
2. System integrators rarely propose a complete ERP implementation 
3. System integrators do not understand the complex compliance and cyber security requirements for today’s modern systems 

If you missed any of the first three articles, I encourage you to read them before starting this article as they lay the foundation for key concepts, we will discuss next. 

The Six Biases in ERP Implementations 

To achieve a successful ERP implementation, you must overcome these six common biases: 

1. Software is often released before it is mature 
2. System integrators rarely propose a complete ERP implementation 
3. System integrators often do not understand the complex compliance and cyber security requirements for today’s modern systems 
4. Compliance and cyber security requirements are often misunderstood by software engineers 
5. SaaS application software providers tend to be greedy with system storage because it affects their margins 
6. Auditors are often not trained in the specifics of the ERP system they are auditing. 

Compliance and cyber security requirements are often misunderstood by software engineers 

Modern ERP systems have been evolved since the late 1980s. Given that, you’d assume compliance and cybersecurity best practices are fully embedded into every system, right?  

Wrong.  

What the C-Suite expects—a secure, auditable, compliant environment—is often only partially delivered by default in today’s ERP platforms. The challenge for organizations is to make sure they are informed as to what is included, what is not included, what needs to be supplemented via another solution, and what is not available at all. 

What the C-Suite Should Expect from ERP Compliance and Cybersecurity 

Here is what a well-designed ERP system should offer when it comes to compliance and cybersecurity: 

Roles and Identity Lifecycle Management: 

1. Roles have been designed and constructed in alignment with NIST Role-Based Access Control (RBAC) principles. Roles have been built keeping in mind common Positions or Jobs in organizations or the possible use of a Persona (a group of users with similar or the same job functions) 
2. Pre-built Roles have been designed based on the principle of least privilege, only providing access to what someone would need and nothing else 
3. Roles are granular enough such that two or more roles could be combined and assigned to a specific Persona or group of users 
4. Roles do not have inherent Segregation of Duties (SoD) conflicts within them. 
5. Functionality is in place to validate that roles adhere to the principle of least privilege and to ensure that no segregation of duties (SoD) conflicts exist—either within individual roles or across the combined roles assigned to a user Functionality exists to automatically assign a role or group of roles to a user based on conditions such as a User’s Position or Job associated with their employee record 
6. The “Data Access” that a user is provided can be identified and provisioned automatically or by a Security Administrator during the time of provisioning 
7. Ability to automatically de-provision Users as they are terminated in the HR system Ability to de-provision roles and re-provision new roles automatically when a User’s Job or Position has changed 

IDP configurations: 

1. Flexible IDP configurations that allow different categories of users 
2. Ability to secure integration users via certificates or tokens 
3. Ability to require various Multi-Factor methods to better secure the login 
4. Ability to allow local logins (i.e. not governed by an IDP integration) for Disaster Recovery in case the IDP provider becomes unavailable 
5. Flexible and secure password reset process 
6. Ability to restrict user logins by IP or location 
7. Logging of activities needed to support Compliance and Cyber Security risks including: 
8. Tracking of Inserts /Updates, and Deletions for all configurations that should be subject to the organization’s change management process 
9. Tracking of who is accessing data subject to Data Privacy regulations such as PHI and PII 
10. Ability to integrate all logs with an organization’s SIEM system through web services or APIs 
11. Ability to secure APIs to be only used by integration users 

Those of you who are in the security and controls space may look at this list and assume that every new SaaS system is built with these requirements in mind. There are varying levels of maturity and completeness related to these requirements. 

Real World ERP Compliance Failures 

Despite the expectations above, many ERP platforms fall short. Here are real examples of system weaknesses: 

• An ERP system with a role typically assigned to all employees to provide them with their base access. Such roles as one point had a conversion entitlement that allowed them to upload a file that sets a new default bank account for any or all suppliers. The same role gave everyone access to the most powerful API and gave everyone access to upload a file into the inbound directory that would allow a schedule interface process to import the data 

• An ERP system did not provide seeded MFA abilities for supplier portal users, leaving their accounts subject to phishing attacks resulting in 7 figure losses 

• An ERP system has incomplete logging allowing for certain workflows to be disabled and re-enabled without an audit trail 

• An ERP system where logging needs to be enabled via a configuration could have all their audit logs disabled without it being logged 

• Multiple ERP systems do not retain logs related to accessing PII, leaving management with having to build a custom archive process to comply with GDPR / CCPA and similar regulations 

• An ERP system does not have audit logging to comply with India audit requirements because the underlying data is stored on a relational database where performance could be impacted by database triggers; this lack of audit logs also severely limits management’s ability to have an IT compliance program 

• An ERP system allows MFA to be set at the role level, rather than at the User level, leaving certain roles by a User subject to phishing attacks. 

• An ERP system allows integration accounts to be built without requiring the use of certificates and allows such accounts to be local logins. This allows these accounts to be subject to phishing attacks and forces admins to have to manage these manually 

• Most ERPs do not have a PAM process for highly sensitive accounts such as default logins and administrator accounts 

• An ERP system has poorly designed roles such that some end user roles have the ability to disable their logging feature 

Can You Rely on Your Vendor or System Integrator? 

Often, software vendors and system integrators won’t disclose these gaps during the sales or design phases. Why? Because they’re trying to win the deal and don’t want to complicate the sales cycle. Read more about this here where we talk about the bias towards non-disclosure of these gaps. 

To protect your organization, we recommend allocating a contingency budget of 3–10% of the total project budget to address unanticipated compliance and cybersecurity requirements. This contingency will address these three scenarios: 

1. Functionality doesn’t exist and needs to be built / customized 
2. Functionality needs to be purchased separately through the software provider 
3. Functionality needs to be purchased through another provider 

Final Thoughts:  You Need Independent ERP Risk Guidance  

C-Suite careers are ‘make or break’ on the success or failure of the delivery of these Digital Transformation projects. Unfortunately, the lack of transparency by the software company and the system integrator is a significant headwind for management.  

To deliver a secure, compliant ERP system, organizations need: 

• A comprehensive inventory of compliance and cybersecurity requirements  

• Independent expert advice that does not come from the software company and system integrator.  

• A realistic contingency budget to address  

Even with a risk advisory firm providing guidance, you cannot rely on getting fully independent advice from the risk advisory team as I have argued in this article. 

Schedule a Consultation 

If you want to avoid the pitfalls that derail ERP implementations, we’re here to help. 

📩 Contact us at sales@erpra.net to schedule a consultation with one of our ERP risk experts.