The Risks To ERP From AI and IoT

Sometimes, advances in technology can take away even as they give.

Recently, I wrote about the enhancements to ERP software systems that might come from Artificial Intelligence and the Internet of Things during 2019. While I stand by my fearless November forecast, nevertheless AI and IoT also pose security risks to ERP users. Those considering adding AI or IoT capability to a system need to be careful.

AI’s Risks

As AI moves into the next generation of development, it’s also creating the next generation of “smart attackers.” Cybercriminals have countless incentives to develop, scale and launch attacks given the growing quantity and wealth of the business, financial and operational data stored in a company’s ERP system. Especially alarming is that organizations preparing and directing attacks are collaborating, freely sharing information which will only accelerate their ability to strike.

Moreover, experts say that employing AI as a cybersecurity detection tool can be a two-edged sword. On the one hand, it promises to detect potential viral threats before they invade and capture your system. But because AI is fairly new it may not yet integrate smoothly into an ERP system meaning that the expense won’t equal the value.

It doesn’t help that there is an “arms war” between AI developers. This is resulting in them exaggerating claims about the variety and quantity of features available. For users of ERP software systems, the marketing hype has to be viewed with skepticism until the focus shifts from “how many” to “how good” the various AI products actually are. ERP developers and users alike need to recognize that simply having a few, well-crafted features is more likely to improve threat detection while reducing the number of false positives.

Since AI requires a large data pool to function in ERP software systems, it’s relatively easy for developers to leave them unprotected. When identifiable consumer data is involved, the risks are huge – especially with GDPR in the E.U., Canada’s PIPEDA law and the California data security legislation that will be effective in less than two years. The need to protect is getting bigger, the failure to do so can be enormously expensive as well as embarrassing, and AI is nowhere near ready to do the job yet as it is applicable to ERP systems.

IoT Problems

On the consumer side, IoT connected appliances already are triggering unintended and unauthorized payments that people cannot verify. Imagine the motherlode of financial and operational data that an ERP system contains, making it a ripe target for hackers who have an incentive for undertaking the effort.

The IoT is particularly vulnerable, according to experts I’ve read and spoken with recently. Because it often employs satellite communications to send data from one facility to another and little attention has been paid to satellite security, both private and state-sponsored actors are zeroing in on the target. Indeed, executives in both the civilian and military satellite industry in the U.S. and Europe have formed a government-backed clearinghouse to share information on cyber threats to space assets.

For ERP developers and users, this all means that the current technology has grown faster than the security built into linkages between ERP and the IoT, particularly if identifiable information is stored in the system. If the privacy regulations at the state level spread beyond California, consumers and ERP users alike may be lulled into a false sense of security regarding the safety of the data.

Broad Implications

What all of this means is that an ERP contract now must also reflect the security vulnerability of software systems that will include either an AI or IoT capability. It requires them to be written especially tightly. For users, certain warranties and assurances need to be included; for developers and integrators, it means not overpromising what either enhancement will deliver or how safe they are from cyberattacks.

As an ERP software contract negotiating and drafting attorney as well as a litigator representing clients in ERP disputes, I’ve seen instances where a user did not specify in detail the exact requirements they needed and developers or integrators fudging what would be delivered.

This is always an issue with ERP contracts. Because AI and IoT are so new and are just now being introduced to ERP software systems, it is especially important to have the deliverables spelled out precisely in the written agreement. If you’re considering either a new ERP software system that will include AI or IoT, or are upgrading a legacy system, before signing anything be sure to consult with a lawyer who understands both the possibilities and limits of what you’re licensing.