ERP Security for Manufacturers: The Six Gaps That Put Your Business at Risk

ByNBIT Team

Your ERP system is the operational backbone of your manufacturing company — it holds your production schedules, customer orders, pricing, financial data, vendor contracts, and often your intellectual property. It’s also one of the most under-secured systems in most manufacturing environments. Here’s what responsible ERP security looks like in 2026.

Why ERP Systems Are High-Value Targets

Attackers who reach your ERP system don’t need ransomware. They can:

  • Exfiltrate customer lists and pricing for competitors
  • Modify bank account routing numbers to redirect payments (Business Email Compromise variant)
  • Steal product formulations or manufacturing processes stored in item master records
  • Manipulate production orders to introduce quality defects
  • Hold financial data hostage during month-end close when you’re most vulnerable to paying

The FBI’s Internet Crime Complaint Center reported $2.9 billion in Business Email Compromise losses in 2023 — much of it routed through ERP payment manipulation. Manufacturers are disproportionately represented because their ERP systems often have aging security configurations and overprivileged user accounts.

The Most Common ERP Security Failures in Manufacturing

1. Shared Superuser Accounts

In many manufacturing environments, three or four people share a single “admin” account in the ERP because setting up individual accounts was never prioritized. When something goes wrong — or when that account is compromised — there’s no audit trail showing who did what. This is a fundamental internal controls failure that auditors flag and attackers exploit.

2. Excessive User Permissions

Most ERP users have access to modules and functions they’ve never touched. A warehouse receiving clerk who also has access to modify vendor banking information is a segregation of duties violation — and a significant fraud risk. Role-based access control (RBAC) should reflect what each employee actually needs to do their job, nothing more.

3. Unpatched ERP Software

ERP updates are disruptive. They require testing, often require downtime, and sometimes break custom integrations. As a result, many manufacturers run ERP versions that are one, two, or even three major versions behind. Each skipped version is a collection of known vulnerabilities that attackers actively exploit. The question isn’t whether attackers know about these vulnerabilities — they do, they’re published in CVE databases — it’s whether your system is patched against them.

4. ERP Exposed to the Internet

Remote access to ERP systems is necessary in modern manufacturing. But the method matters enormously. ERP systems that are directly accessible from the internet (even via HTTPS) without a VPN or zero-trust gateway are exposed to credential stuffing attacks, brute force attempts, and known application vulnerabilities. Every manufacturing ERP should be behind a VPN with MFA — not directly internet-facing.

5. No Database-Level Security

The ERP application is the front door. But the database behind it — SQL Server, Oracle, or PostgreSQL in most cases — is often configured with overprivileged service accounts, default credentials, or no encryption at rest. Attackers who bypass the application layer can query the database directly if it’s reachable on the network.

6. No Backup Validation

Most manufacturers back up their ERP databases. Far fewer have tested whether those backups actually restore. A backup that exists but won’t restore under pressure is not a backup — it’s false confidence. Ransomware attackers specifically target backup systems to delete or encrypt backups before launching the main attack, knowing recovery becomes impossible.

A Security Baseline for Manufacturing ERP Systems

The following controls represent a reasonable baseline for manufacturers running Epicor, SYSPRO, Infor, or SAP Business One:

Access Controls

  • Individual named accounts for every user — no shared credentials
  • Role-based permissions mapped to job function, reviewed annually
  • MFA required for all remote access and all administrative accounts
  • Privileged accounts (system administrators, finance administrators) separated from standard user accounts
  • Automatic session timeout after inactivity

Network Security

  • ERP application servers isolated on a dedicated VLAN, not on the general office network
  • Remote access through VPN with MFA — not direct internet exposure
  • Firewall rules restricting which workstations can connect to ERP on which ports
  • Database ports (SQL 1433, Oracle 1521) not reachable from general office network

Patching and Updates

  • ERP on a supported version with a documented patch schedule
  • Database software (SQL Server, Oracle) current on security patches
  • Operating systems hosting ERP servers on current supported versions
  • A documented change management process for updates that includes a test environment

Backup and Recovery

  • Database backups at least daily, transaction log backups more frequently for high-volume operations
  • Backups stored off-site or in immutable cloud storage (not on the same network as the production system)
  • Documented and tested recovery procedures — tested at least annually
  • RTO (Recovery Time Objective) and RPO (Recovery Point Objective) defined and agreed upon with leadership

Monitoring and Audit

  • ERP audit logging enabled and retained for at least 12 months
  • Alerts on critical changes: new user creation, permission changes, banking information modifications
  • Failed login monitoring and lockout policies
  • Periodic review of user access rights by department managers

The Segregation of Duties Problem

Segregation of duties (SoD) is an internal controls principle that prevents a single person from controlling an entire financial transaction end-to-end. In ERP terms: the person who sets up a vendor should not be the same person who approves payments to that vendor. The person who receives inventory should not be the same person who approves the purchase order.

In small manufacturing companies, SoD often falls apart because there simply aren’t enough people. That’s a reality. But compensating controls exist: approval workflows that require a second sign-off on high-risk transactions, exception reports reviewed by an owner or controller, and audit logging that creates accountability even when the same person handles multiple steps.

NBIT can help you map your current ERP access model against segregation of duties principles and identify the highest-risk gaps without requiring a complete organizational restructure.

Getting Started

An ERP security assessment typically starts with three questions: Who has access to what? How is that access protected externally? And what would recovery look like if the system were encrypted tomorrow morning?

If you don’t have confident answers to all three, an assessment is the right starting point. NBIT has worked with Epicor, SYSPRO, and Infor environments and understands the specific security configurations and limitations of each platform.

Schedule a discovery call to discuss your ERP environment and where you stand.

Talk to an Engineer

Ready to strengthen your manufacturing IT?

Our team works exclusively with manufacturing and industrial companies. Schedule a free 30-minute call to see where your network stands.

Schedule a Free Assessment

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *