The distribution industry, like every industry, is susceptible to cyberattacks and data breaches. How can distributors protect themselves? The answer, according to CCS Technology, is with the right cloud ERP solution.
When distributors think of securing their business, what comes to mind first? Probably not cybersecurity and implementing a cloud ERP solution. It’s likely that the average distributor instead puts their time, effort, and money into securing the perimeter of the building, screening everyone who enters and exits, and monitoring the facility at all times with cameras, guards, and processes. In simple terms, it’s all about loss prevention
Added to this, the thought of “threats” often refers to business threats—an OSHA penalty, companies like Amazon entering your market, or the continued war for talent.
However, with the proliferation of technology focused on the wholesale distribution industry ranging from the internet of things (IoT) to the always-on, always connected environment in which you operate, distributors face a well-known but often hard to address security threat: cyberattacks.
It’s something that can derail your reputation, disrupt the supply chain, and do immense damage to the long-term future of your business and is only going to get more prevalent.
Are you at risk for a data breach?
Cybersecurity threats can come from anywhere and affect any business. If it’s connected, it’s at risk.
According to their 2018 year-end data breach report, cybersecurity analyst Risk Based Security (RBS) discovered 6,515 incidents releasing nearly 5.1 billion records in 2018, down only slightly from the 6,728 data breaches in the year prior.
Worse yet, a majority of records exposed do not come from malicious outsiders; accidental transmission of information from insiders accounted for nearly half of the records exposed last year. Not only are insider mistakes exposing more records than malicious outsiders, organizations appear to be struggling to find breaches and close the gap between discovery of the incident and reporting it.
Whether it comes from outside the company or inside, malicious or accidental transmission of information stings businesses in multiple ways. Nonetheless, the blowback is extreme, and the process of reporting a data breach to those in the supply chain is both embarrassing and disruptive, and the sting is twofold.
First, there’s the bad press. That in and of itself is no picnic. Second, there’s the actual cost. Recovering from a cybersecurity breach is anything but cheap.
Protecting yourself from internal and external threats
“The most valuable commodity in the world is information.” Once a phrase used by the character Gordon Gekko in the 1987 movie Wall Street, the phrase has since evolved. Today, information can actually be considered a commodity—sold by hackers to other criminals. In cases involving theft of data, SMBs spent an average of over $955,000 to recover from the attack. Even for businesses that do post profits in the millions, nobody wants to drop that kind of money on a cyberattack.
Take a look at your distribution management processes—what kind of data do you have that might be attractive to a hacker or even a competitor? If you answered nearly everything, you’d be right. Vendor information, customer information, payment and bank account details, and so much more are your responsibility to keep secure.
So, how can you protect yourself, your partners, and ultimately the entire supply chain? You need to know what you’re up against.
Understand the attack vectors
The average user may not be aware of the creative, devious ways hackers work. They may also not understand the targets or vectors, or even how their own actions could put the company at risk.
Social Engineering and Phishing/Spearphishing
Ask most users what they think of when they think of a cybercriminal, and many will think of the stereotypical hacker that pervades movies and media and expect someone typing furiously into a computer to break encryption. However, some of the most successful hacks come through the use of social engineering—essentially hacking your people.
Phishing is the most common form of social engineering, with 9 of 10 breaches beginning with a phishing email. As an example, a hacker might spend a few months researching an organization, its structure and the employees within it to figure out the best target and method of approach. These methods could look something like a fake email mimicking that of a company executive, requesting urgent payment of an invoice.
Additionally, many criminals take up face-to-face social engineering. A call to ‘verify’ information, tailgating an employee through a turnstile, or even posing as an IT contractor could leave your information at risk.
If you want to see an IT guy cringe, tell him you use one password for everything, and it’s “password.” When he’s done convulsing, he’ll most likely launch into a tirade about password security. While it may sound insane, this is second only to “123456” on the list of most common passwords.
A hacker doesn’t have to do much work to get into the system when all he or she has to do is type qwerty, 123123 or 111111 into the password box and hope for the best.
As a distribution company, your employees receive a lot of invoices and payments through email. It can be extremely easy for an employee to click a legitimate-looking link or download an invoice, only to end up with malware on the computer or network. Even if your email server scans inbound messages for dangerous content, don’t make the mistake of assuming every clickable option is safe.
Learn more in Different Kinds of Malware Need Different Kinds of Defenses.
Poor security configurations
While the employee may be the target of many cyberattacks, devices in the network are often at risk as well. You’ve likely heard of companies who have had their network security compromised by a printer, but this only gets worse when everything is connected. With the Industrial Internet of Things (IIoT) becoming part of product-based businesses, you are adding devices that, if poorly configured, could expose you to risks.
A printer, a router, or IIoT devices all present risks to the overall health of your distribution business, and if you fail to configure these for safety, you could be at risk.
Stop internal mistakes: four software issues putting distribution companies at risk
While there are thousands of other ways that external threats could infiltrate your system, internal issues could also stand in the way of your security. Whether it’s a malicious insider or an innocent mistake, your employees could be actively putting company data at risk.
1. Privilege Problems
Take a second and ask, “Why does my employee need access to [x]?”
Many accidental data leaks happen when employees end up having access to data or system configurations that they should not have. Imagine giving administrator access to a CEO using a software product once in a while to look at a report. It’s unnecessary and presents a huge security risk.
2. Shadow IT and Unauthorized Changes
Another security issue that plagues organizations builds on the privilege problem. If a user has unnecessary privileges, he or she has access and ability to perform unauthorized system changes in order to speed up their job or make it easier. Pair this with the rise of shadow IT—software installed without proper vetting from IT—and you can see where this risk comes from.
Think of it like this. A professional at your organization with too many privileges sees the opportunity to save time by installing an Excel Macro, free tool, or the like, installing it without consulting IT. A few months go by and this application is compromised. Paired with mismanaged permissions, and hackers have access to make whatever changes they see fit.
Anytime your IT department isn’t aware of various apps or software that are being used within your organization, the result is more potential security gaps and endpoint vulnerabilities that hackers and cyber criminals can potentially seek to exploit.
3. Failure to update
Whether it’s the software on the computer, the server OS, or an on-premises product that has long since seen the end of support, failure to update a product happens for a wide range of reasons. This is especially prevalent in wholesale distribution, in which distribution software and products are used long through and often past their useful life.
From the companies still using Windows XP and Windows Server 2003 to the companies using ERP software that hasn’t been updated since the last President left office, the longer it’s been since the last update, the more time that cybercriminals have had to discover exploits.
4. Poor backup/recovery
Every company performs backups. But sadly, many companies have not reviewed their policies for years, and few organizations have tested to see how secure their backup files are. Fewer still have done any kind of mock disaster to know if their recovery is possible and how long it would take.
Unfortunately, companies with old policies and no testing could find that when something goes wrong (and it will), they are unable to recover what they need and spend hundreds or even thousands of man hours to regain operations of their systems. Many businesses are unable to recover from a major issue and will cease to exist.
Security in the cloud: Why cloud products are more secure
There are many ways to address security threats, but for distribution companies looking to enhance their security and make life easier for IT professionals, the right cloud products can help. Prior to the rise of cloud computing, companies relied on a single machine to host data and applications. Information was sent by email from location to location, accessing software was a challenge, and updates were disruptive, causing many companies to hold off or ignore them completely.
In the past decade, the shift from on-premises applications to the cloud has brought companies a wide range of benefits—most notably, security.
Cloud vendors have a reason to put security first—their entire business relies on making your data safer in the cloud. In fact, as the SMB Group 2017 SMB Routes to Market Study reported, 42% of respondents cited better security and reliability as a top reason for choosing a cloud deployment.
According to the 2017 Clearing the Clouds Report by analyst firm Mint Jutras, there are many steps that cloud-based ERP providers like Acumatica take to enhance security and many reasons they do so. According to the report, public cloud providers:
- “Bet their business” on providing secure cloud ERP solutions to thousands of customers, and therefore a major outage or breach can put them out of business
- Have built redundancy, security and data protection into their cloud ERP solution
- Validate virtual and physical security measures with SAS 70 Type II audits
- Can afford to hire specialized IT staff with in-depth security expertise because they can spread their skills over many paying customers
It only gets better: Automatic updates make cloud ERP safe
As noted above, one of the biggest ways that companies put their data at risk is through failure to update. As updates on legacy software were disruptive and integration breaking, many companies ignored them, putting their business at risk. Today’s cloud ERP software and cloud solutions are built to integrate, delivering automatic updates that don’t break the bank (or the integrations and customizations).
These automatic updates keep your product up to date, patching vulnerabilities while improving the functionality and keeping your data safe.
Bringing your distribution firm into the cloud and into the future: Acumatica and CCS
Product-based businesses like those in the distribution industry are at a crossroads. They can either continue to work with outdated legacy ERP vendors who either fail to deliver in the cloud or try to slap a cloud label on their products—or they can elect to move their business forward.
As a company founded in IT consulting, managed services, cybersecurity services, and more, we at CCS Technology chose to join hundreds of Acumatica VARs and work with Acumatica Cloud ERP. They are not only on the cutting edge of ERP, they offer a product we can stand behind and a strong business partnership with excellent training and support through their Acumatica Partner Program.
CCS Technology has considerable experience in the distribution vertical, equipping clients with industry-specific tools, like Acumatica, that ensure a smooth process, top-notch security, and consistent reliability. We invite you to learn more about cybersecurity best practices by reading our guide to closing common cybersecurity holes, get to know more about the work we do, and contact us for more information.
Chief Technology Officer/Managing Member at CCS Technology and member of the Forbes Technology Counsel