NetSuite’s powerful enterprise resource planning (ERP) platform is widely used by businesses to manage everything from finance to supply chain operations. However, recent findings show that thousands of NetSuite customers may be unknowingly exposing sensitive data to unauthenticated users, making them vulnerable to potential data breaches.
In a report by AppOmni’s Chief of SaaS Security Research, Aaron Costello, it was revealed that several thousand NetSuite customers were unintentionally leaking data via externally facing stores built with NetSuite SuiteCommerce or NetSuite Site Builder. These exposures are often caused by misconfigurations in access controls, particularly within Custom Record Types (CRTs), which allow unauthorized users to access sensitive information such as personally identifiable information (PII), including customer addresses and mobile phone numbers.
How Are These Breaches Occurring?
The vulnerabilities stem from NetSuite’s APIs, which organizations use to manage data. Although NetSuite offers various access control settings, Custom Record Types (CRTs) are frequently misconfigured. CRTs, which are designed to store custom data, allow flexibility in how they are accessed. However, many businesses leave these settings on “No Permission Required”, inadvertently allowing unauthenticated access to sensitive data.
According to Costello’s findings:
– Many NetSuite customers were unaware that their instance included a default public-facing store upon purchase, which was exposing customer data.
– Sensitive customer data, such as PII, was commonly leaked due to misunderstood access control settings.
– Misconfigured CRTs allow unauthorized users to access data through NetSuite’s SuiteScript API. Hackers can leverage the API to retrieve customer information, despite organizations believing their data was secure.
These breaches are not the result of a NetSuite vulnerability but rather misconfigurations in the platform’s table-level and field-level access controls. For instance, an organization may believe that setting a field’s Default Access Level to “None” secures the data. However, if the Default Level for Search/Reporting is still set to “Edit,” malicious actors can access the data via the API.
Key Trends in ERP Security Risks
NetSuite is not the only ERP platform facing these challenges. The rise of cloud-based ERP systems has introduced new security risks for businesses. Some key trends include:
1. API Exploitation: As more businesses rely on APIs to streamline their operations, attackers are increasingly targeting API vulnerabilities. In fact, over 80% of data breaches in cloud platforms are due to misconfigured APIs.
2. Inadequate Access Controls: Misunderstood or misconfigured access controls are becoming one of the most common causes of data breaches in ERP systems like NetSuite and Salesforce. Businesses often do not have a clear understanding of how permissions work, which leaves sensitive data vulnerable.
3. Third-Party Risks: ERP systems are often integrated with other third-party tools and platforms, expanding the attack surface. Poorly secured integrations can create backdoors into otherwise secure systems.
Why On-Prem Backup and Security Solutions are Crucial
The growing complexity of cloud ERP environments, paired with the increasing number of cyber threats, makes it essential for organizations to consider on-prem backup solutions as part of their security strategy. Here’s why:
1. Complete Control Over Data: On-prem backup solutions, like those offered by Sesame Software, provide organizations with full control over their data. Instead of relying on cloud providers to secure data, businesses can enforce their own access controls, ensuring no unauthorized users can access sensitive information.
2. Reduced Exposure to Misconfigurations: Cloud-based systems are often updated and modified by third-party vendors, leaving room for misconfigurations. With an on-prem solution, businesses have tighter control over how data is stored, accessed, and backed up.
3. Protection from API Vulnerabilities: While APIs are critical for streamlining ERP operations, they also present significant security risks. On-prem solutions reduce the need for external APIs, limiting exposure to potential vulnerabilities.
4. Regulatory Compliance: Many industries, including finance and healthcare, have strict regulations around data security. On-prem solutions make it easier to comply with these regulations by allowing businesses to enforce strict security measures, ensuring sensitive data never leaves their environment.
Steps to Prevent NetSuite Data Leaks
To mitigate risks and prevent data leaks within NetSuite, organizations should take the following steps:
– Review CRT Access Controls: Audit your existing CRTs and ensure that any sensitive data is properly secured. If a CRT must be public, ensure that sensitive fields are restricted with role-based permissions.
– Disable Unnecessary Public Sites: Many organizations may have unintentionally deployed public-facing SuiteCommerce websites. If these are not required, take them offline to prevent unauthorized access.
– Regularly Monitor and Audit API Usage: Ensure that your team is regularly reviewing API usage and access logs for suspicious activity. Although NetSuite does not yet offer ready-made transaction logs, administrators can request them from NetSuite support if there is any suspicion of a breach.
– Train Administrators on Best Practices: Misconfigurations often arise from a lack of understanding of access controls. Providing training and resources to your administrative team can help reduce the likelihood of human error.
As NetSuite and other cloud ERP systems become more prevalent, so too do the risks associated with misconfigurations and API exploitation. While cloud solutions offer convenience and scalability, the rise in breaches highlights the need for businesses to implement robust data security strategies. By leveraging on-prem backup and recovery solutions, organizations can protect their sensitive data from the ever-growing threat of cyberattacks and misconfigurations.
Looking for a Place to Start?
At Sesame Software, we provide comprehensive NetSuite backup and archiving solutions that ensure your data is fully secure, accessible, and compliant. Don’t wait until a breach happens—ensure your ERP data is protected today.
Schedule a demo of Sesame Software today to learn more about our solutions and start enhancing your data backup strategy today.