ERP Horror Stories: Creeping Scope and Ransomware from Beyond the (Technological) Grave

This article is sponsored by Western Computer.

Stories about ERP implementations gone horribly wrong still abound. Some implementations drag on for years due to organizational factors. At other times, companies are forced to contend with a crisis like a ransomware attack.

When the issue relates to outdated on-premises systems, careful planning and a successful deployment of cloud technology can help to snap companies out of an ERP nightmare. Greg Williams, VP of Strategy at Western Computer shared a chilling “ERP horror story” about a mid-size manufacturing and distribution company bogged down in one type of implementation disaster that then ended up with even worse luck thanks to a ransomware attack.

ERP Horror: Scope creep, then hacking

The story behind the story Williams shared centered on a mid-size manufacturing and distribution company. They were two years into an ERP modernization project (not involving Western Computer), an incredibly long time for a company of this size. What was causing it to drag on?

“I think what happens is a lot of companies get enamored with scope creep and adding more features. And they try to make everyone happy, and they [decide to keep] extending because they keep seeing more and more features that they want to add to the system. And in this case, I think the company also had some turnover within their team, which slows things down,” Williams explained.

While working on this long-term ERP implementation, the situation deteriorated when this mid-sized business found itself offline for weeks due to a ransomware attack on its legacy systems. According to Williams, a representative of the company, sensing a lack of capabilities from the current ERP implementation team, reached out to Western Computer, which mobilized quickly to implement Dynamics 365 Business Central as a work around in a matter of weeks.

“One of the nice things about Business Central being a Microsoft CSP product is, there's no bureaucracy with ordering it… We started configuration and training on day one,” Williams recalled.

Western Computer often encounters customers using legacy systems that are especially vulnerable to ransomware attacks. According to Williams, ransomware attacks are one of the biggest threats for legacy tech users, with one or two percent of these companies experiencing an attack each year. By comparison, customers with workloads in the cloud have withstood these threats.

Occasionally, cloud can still have downtime, like a frustrating multi-hour outage on the East Coast of the US, where a customer was forced to wait until Microsoft resolved the problem. Despite these annoyances, cloud promises much greater security compared to customers using legacy systems that can find themselves doing complex forensics to recover data after a ransomware attack.

“When we were talking to them five to seven years ago, many small business owners had an attitude that their on-premises systems are actually more secure compared to the cloud. Because their attitude was, I'm just this little target, and this little company with servers in my closet, who's going to bother me. If the hackers are going to go after something, they're going to go after Microsoft or Amazon, after those big targets. And we know now that wasn't true. Hackers are going to find the easy targets, even if they're small, and they're not going to break into Fort Knox. They're going to break into whoever has lax security,” Williams said.

How should companies prepare for the possibility of a ransomware attack? Williams said that for companies that still have a valid business reason to run on-prem, they should buy ransomware insurance, have a validated disaster response plan that goes beyond just backup, and also maintain a cloud backup in a distant geographical region. Fortunately, with fewer and fewer organizations hosting on-prem Exchange servers, organizations can usually continue to communicate using Gmail or Outlook even after an attack.

For companies that choose to outsource much of their security to Microsoft, Williams recommends checking the Microsoft Trust Center to see the latest compliance standards for HIPAA, ISO, and other protocols.

“In the on-premises world, we had an attitude of getting everything in the system upfront, and getting out a stable version, and then you would just stay on that version for years. You would never really update. And the cloud is different. You're going to be updating twice a year, at a minimum,” Williams said.

Many organizations remain reluctant about the cloud because they fear getting trapped in a costly IT rental model with two major cloud providers, Microsoft and Amazon. Williams disputes that viewpoint, because many companies may not understand how much they spend on third-party firewalls and other resources compared with Microsoft’s own built-in cloud security. At almost every turn, it is more work to remain on on-prem systems, with something—whether security or credit card processing—always on the verge of being out of date.

“[At Western Computer] we've done hundreds of implementations. We are experts in key areas like distribution and manufacturing. We do all the Microsoft Dynamics products, Business Central, as well as Dynamics 365 Finance and Supply Chain Management. We also do the complementary Dynamics 365 Customer Engagement products, like Sales and Customer Service, and Project Operations, and Field Service,” Williams said, encouraging customers to consider a cloud-based future with Dynamics.

Watch the full conversation here.

…

Photo by Ganapathy Kumar on Unsplash