A recent report from Deutsche Bank and the Economist Intelligence Unit pointed to a gap in companies’ cyber defenses related to the third parties they do business with.
The report, which is based on a survey of 300 corporate treasurers, found that 19% of companies don’t check whether their suppliers use the same ID authentication method that they do and 14% don’t require that the information security requirements they place on third parties be extended to those third parties’ subcontractors.
And while 92% of companies do internal penetration testing, only 38% require their suppliers and other third parties to do such testing.
The Deutsche Bank report also said cybercriminals are now targeting ERP systems.
As companies have improved their cyber defenses and educated their employees about the ways criminals use phishing or manipulate users of banking portals, criminals have looked for other avenues of attack, said David Watson, global head of digital cash products for Deutsche Bank.
ERP systems are attractive to hackers because “tactically, the money sits on the accounts within the ERP systems,” he said. Watson also noted that ERP vendors are starting to add features like APIs and financial communication networks to their systems. “What used to be a back-end system is closer to the outside world from an exposure perspective,” he said.
An ERP “is an IT system the same as any other,” Watson added. “It requires the same level of penetration testing, the same level of layering around its ecosphere.”