Integrating Business Systems - Part Three

Welcome to the 3^rd and final part of my article suite considering the decisions around Integrating Business Systems.
 
As a reminder, here are the three topics covered.

1. Developing a sound reason to integrate, a business case and an efficiency (or quality) issue to resolve.
2. Making the decision on whether to upgrade your ERP or Business System.
3. Mitigating the risks of an ageing ERP or Business System.

 
Today, we look at part three.
 
PART THREE : Mitigating the risks of an ageing ERP or Business System
 
In Part Two, I mentioned the Cyber Risk of an ageing platform. Surely, if you have a good firewall, it doesn't matter how old your systems are on your internal network? I'm afraid it does.
Anyone who tells you that they can make you safe from Cyber-Attack Is sadly mis-leading you. New bugs are found all the time (including for firewalls), and they result in something called a "Zero Day Attack". This is the attack to take advantage of a known bug for which a fix has not yet been released.
Also, human error does occur. Firewalls can be mis-configured, and updates missed, attackers can get in through malware or gaining access to a user password and a whole host of other ways. The bottom line is that you should maintain all your network to avoid what is known as "lateral movement" - the ability to jump to a poorly protected system as a base for further attack.
If you have systems that are now out of support and cannot be updated any further, you should consider all or some of the following precautions:

1. Test your backups and be sure that they are "off network". You should have a documented process to know how to bring back your systems and your data, know how long it will take and what hardware you need to do it. And if your backups are online (i.e. stored on your network), get them offline so that any ransomware could not encrypt them too. Even further, do you have a full Business Continuity Plan?
2. Apply the patches you can for the Operating Systems itself and the application - but only once you have tested your backups. The process of patching can break things too - so go through any catch-up process carefully but rigorously.
3. Cyber Essentials - do look at all your Cyber protections to limit the angles of attack. This would look at your access control process, policies on your laptops and PCs and more. 
4. Network segmentation - sounds complex, but a great further step to protect yourself may be to put your critical systems and data behind a second firewall. This can be configured to limit the access and so reduce the chance of the "lateral movement" I mentioned above. It's a technical process but can be done without impact to the users.

 
SUMMARY
 
I hope I've summarised some of the issues to consider when looking at integration, systems upgrades and cyber protection, and I hope I've kept it relatively simple.
If there are key messages, I’d like to summarise as follows:

1. Don't take on a big change until you've experience of managing lots of small change.
2. Keep your systems elegant and simple. Complexity leads to Cost.
3. Improving Data Quality is a good goal as a baseline - but then maintain your documentation otherwise you start all over again.
4. Any system needs managing - don't start unless you are willing to take on that cost and burden (whether it's insourced or outsourced).
5. Do take Cyber Protection very seriously!