Secure Your ERP:

Renewal Management for Safeguarding Enterprises

Enterprise Resource Planning (ERP) systems have long been the transactional backbone of enterprises, driving core processes and storing business critical data. Today’s business landscape demands ERP systems acting as ‘control towers’ for efficient business operations with key workflows and business metrics, but also platforms enabling integration and innovation. As ERP landscapes have grown more complex due to customizations and multi-instance architectures resulting from acquisitions, securing and renewing ERP systems has become a top priority.


Clients often encounter a series of concrete problems when grappling with ERP cyber risk, which stems from the intricate nature of these systems. The typical issues they face include.


    • Legacy Systems on Aging Infrastructure: Many ERP systems are hosted on outdated hardware and run on obsolete operating systems like Windows (Windows Server 2012 or 2008) or Linux (Red Hat Enterprise Linux 6, CentOS 6 or Debian 7). These aging components not only pose vulnerabilities but also make system maintenance and updates more challenging.


    • Complex Integration with Various Systems: ERP systems are often intricately intertwined with various other software and systems within an organization. This complexity can lead to vulnerabilities and integration issues that expose the organization to cyber risks.


    • Wide Accessibility: ERP systems are accessed by a diverse range of stakeholders, including vendors, customers, and suppliers. Managing access controls for such a diverse group can be challenging, especially when it comes to preventing unauthorized access and maintaining data integrity.


Challenges in Today’s Business Environment


Balancing innovation, resilience, and cyber defense is a challenging task, especially amidst macroeconomic uncertainties. Organizations often face dilemmas regarding where to allocate resources, as squeezed budgets, internal pressures, and ever-changing priorities create a complex decision-making landscape. For many companies, financial restrictions often lead to the reprioritization of checklist items, like ERP renewal efforts, inadvertently exposing themselves to increased cybersecurity risks.


The Cybersecurity Risks of Delayed ERP Renewal


Late or delayed ERP renewal can pose significant cybersecurity risks. With ERPs becoming more integrated across a wider scope of businesses, they hold increasingly valuable data, making them attractive targets for cyberattacks. In an era where data breaches can have severe financial and reputational consequences, it’s essential to ensure the security and resilience of these systems.



Here is a list of recommended actions that organizations should consider to secure their ERP systems:


  • Comprehensive Documentation: Maintain up-to-date documentation in an application that outlines the architecture, configurations, and integrations of the ERP system. This documentation acts as a crucial reference point for administrators and security teams.


  • Interface Mapping: Map all interfaces and connections to and from the ERP system. Understanding the flow of data and interactions with other systems is essential for identifying potential vulnerabilities.


  • User Flow Monitoring: Implement tools and procedures to monitor user activities within the ERP system. This helps in identifying any unusual behavior or unauthorized access, enabling quick response to potential security threats.


  • User Access Control: Limit user access to only what is necessary for their roles and responsibilities (RBAC – role-based access control). Regularly review and update user access permissions to prevent unauthorized actions and reduce the risk of data breaches.


  • Vulnerability Management: Develop a systematic approach to identify, manage, and update vulnerabilities within the ERP system. Regular patching and updates are essential to address security weaknesses effectively.


  • Red Teaming: Conduct periodic red teaming exercises to simulate cyberattacks and test the ERP system’s resilience. This proactive approach helps in identifying and addressing weaknesses before malicious actors exploit them.


Act Now or Be Left Behind


Organizations that postpone renewal not only put their valuable data at risk but also place themselves at a disadvantage in the competitive landscape. Once the maintenance phase concludes, organizations may face additional expenses linked to security patches. Although these patches may still be offered by the system vendor, the onus of implementing them falls on a third party or the company itself, without direct vendor support. For widely recognized ERP systems like SAP, Oracle, or Microsoft, it’s relatively easier to find third-party vendors to assist with this task. However, when dealing with smaller ERP systems, the options become more limited, as third-party providers might be scarce. In such cases, companies must take the responsibility of patching into their own hands, possibly seeking support from different IT partners if they can find suitable ones.


When discussing ERP refresh with our clients, we’ve identified four key motivations for ERP renewal:


1. Control Tower for the Enterprise: Modern ERP systems serve as the central control tower for organizations. They manage critical workflows, data, process integrations, and business metrics. In an era where data-driven decision-making is paramount, a robust ERP system offers a single source of truth for essential data and processes.


2. Data Middleware: ERPs act as the new data middleware, establishing and enforcing data standards across the organization. This ensures data consistency and accuracy, which is vital for scaling data-driven initiatives and facilitating seamless data exchange and integration across various departments and systems.


3. Efficiency and Automation: ERP modernization allows organizations to achieve greater operational efficiencies. Modern ERP systems often come with native automation capabilities that streamline processes and reduce manual tasks, saving time and resources while improving overall productivity and accuracy.


4. Organizational Agility: In a dynamic business environment with frequent mergers and acquisitions (M&A), having a flexible and de-coupled ERP architecture is crucial. Modern ERPs can adapt to changing organizational structures and business needs, making it easier for companies to integrate newly acquired entities or divest parts of their business. This agility in ERP systems positions organizations to improve their merger and divestiture velocity, enabling faster and smoother transitions.


BCG Platinion’s Role in Navigating ERP Renewal


At BCG Platinion, we understand the importance of ERP security renewal, and our industry experts can help clients address these challenges. We specialize in guiding organizations through this critical process, ensuring that they can protect their valuable data assets.



Some best practice and recommendations for ERP security renewal include:


  • Proactive Renewal Planning. Don’t wait until the last minute to renew your ERP security. Waiting until the last minute can lead to rushed decisions and potential vulnerabilities. When you develop a proactive renewal strategy, you take into consideration your organization’s long-term operational and financial goals. This involves assessing your current ERP system’s performance, identifying areas that need improvement, and aligning these improvements with your business objectives. Proactive planning also allows you to allocate resources and budgets effectively for the renewal process.


  • Cybersecurity. ERP systems store and manage sensitive data, making them attractive targets for cyberattacks. Cybersecurity measures should encompass access control, data encryption, intrusion detection systems, and user authentication. As cyber threats constantly evolve, renewing your ERP security involves staying vigilant and adapting to the latest cybersecurity best practices to safeguard your organization’s valuable assets.


  • Regular Updates. ERP systems are not static; they evolve over time, and so do the threats they face. Regular updates to your ERP system, including both software and security measures, are vital to address emerging threats and maintain the overall system’s functionality.


  • Collaboration. Collaboration is key to successful ERP security renewal. Engaging with experts who have a deep understanding of ERP systems and cybersecurity is crucial. ERP systems are complex, and the intersection of business processes, technology, and security requires specialized knowledge.


In a world where data is a valuable asset and cybersecurity threats are ever-present, organizations must prioritize ERP security renewal all year round. Delaying this critical process can expose organizations to risks that can have far-reaching consequences.


Those who make cybersecurity a priority will not only safeguard their valuable data but also unlock greater resilience in the face of evolving threats. ERP systems are still and will be the transactional engines of the companies, running the core processes and producing the business-critical data that is needed to be successful in a data-driven future. Embracing ERP security renewal is the key to staying competitive, efficient, and secure in an ever-changing cybersecurity environment.


If you need support in your ERP renewal process or for professional advice, get in touch with us today.


About the Authors

Alexander Gray

Managing Director
Oslo, Norway

Alexander Gray is a Managing Director in the Oslo office of BCG Platinion. He has over 23 years of experience in IT & digital transformation, enterprise architecture, software engineering and IT strategy.

Prior to joining BCG he spent 11 years at PwC Consulting in Oslo (Partner), 7 years at Accenture and 5 years as a freelance consultant and other consultancies. He has run a number of large scale technology transformations as a programme lead, technical project lead, chief architect – and strategic advisor to executives and boards. Alexander is an architect with deep technical skills in software development, solution architecture, data & analytics – combined with a strong understanding of business drivers, transformation management and organisational behaviour.

Jatin Srivastava

Managing Director
London, UK

Jatin is a Managing Director with more than 20 years of global experience in helping clients undertake digital journey with special focus on Cloud Transformation, Next Generation ERP, Business Process Transformation/Outsourcing, Automation, Blockchain, Cognitive Computing and Analytics. He has designed and delivered IT enabled transformation programs for major corporates within Consumer Industry and has expertise in driving technology alignment with business goals and organizational changes.

He has led and shaped complex transactions working together with senior client executives, structuring commercial constructs while leading multi-national teams, client presentations and contract negotiations.

Juuso Soininen

Helsinki, Finland
Partner and Associate Director

Juuso is a Partner and Associate Director, focusing on Digital and Tech Transformations, World Class Tech Function, Cyber Security and Risk Management across all industries.

He executes Business Strategy, M&A and transformation work in the Technology (SW/SaaS, HW and services), Media, Telecom and Financial Services industries.

He supports case teams across industry practices, with most of his experience in Technology (software, hardware, and services), Media, Telecom, Financial Services, Industrial Goods, Energy and Consumer retail sectors. He works on a broad range of CEO, CIO, CDO, CTO and CISO topics, with emphasis on how to build value creating, modern, effective and secure IT, digital and technology capabilities and make Digital strategies and transformations happen in practice.

Petri Juusela

Associate Director
Helsinki, Finland

Petri Juusela is an Associate Director leading the BCG Platinion Helsinki office and Enterprise Solutions in the Nordics.

He has extensive experience in large scale ERP program de-risking and activist program management, ERP target architecture, business case and implementation roadmaps, SAP S/4 Transition strategy and program setups and S/4 HANA transformation roadmap at grocery retailer.

Prior to joining BCG, Petri has 11+ years management and leadership experience with value driven IT strategy, architecture and implementation with SAP, as well as 1.5 years manager experience in transformation program management office at Ahlstrom and 8 years management consulting experience from industry positions at Deloitte.

Eivind Høydal

Senior IT Consultant
Oslo, Norway

Eivind is an IT Consultant in the Oslo office of BCG Platinion. He has worked extensively with cybersecurity across different sectors, and is a core member of Cyber & Digital Risk. He has additional experience with data strategy, data analytics and working with IT functions.

​He studied at the Norwegian University of Science and Technology where he received a MSc in Communication Technology and Digital Security.​