Select Page
Don’t Avenge a Cyber Attack – Prevent It

Don’t Avenge a Cyber Attack – Prevent It

One cyber world story that captivated me as a youth was the character of “Ultron,” as depicted in comic books and in the movie adaptation of The Avengers. The character was a breed of artificial intelligence created with the intent of protecting the earth. But he turned against his creators, and against the earth itself, becoming a cyber super villain in the process. Origin story complete. Now queue the good guys.

Cyber Attack Encrypted Files Ransomware Attack

Such is the nexus of superhero narratives. A good intention turns violently wrong, necessitating radical intervention. Movies and comic books love to prey on fears of killer robots and cyber intelligence. It’s an archetype as old as the myth of Daedalus and Icarus: technology going too far and humanity in its arrogance flying too close to the sun, then landing on those old Led Zeppelin t-shirts instead.

Companies encounter similar, albeit less explosive, narratives when deploying cybersecurity solutions, in an attempt to lock down their networks. Often such solutions are deployed in the absence of a comprehensive infrastructure threat review. As such, they fail to provide comprehensive cyber protection.

This amounts to a technical placebo. The cybersecurity plan once implemented gives the impression of the cure without any real medicine provided. And while the attempt to paint over one’s data security problems is not itself an act of malice, it can nevertheless have deleterious effects to the organization in question. 

My own experience in the business world tells me that user oblivion is as dangerous as malice when it comes to cyber vulnerability. A corporate network with rudimentary cybersecurity and normal online hacking attempts, such as phishing scams or malvertising, can be more problematic than a secured network under a heavy cyber attack, such as ransomware.

A Cyber Attack from an ERP Perspective

While the tale of Ultron and the Avengers had itself a happy ending, the story of many businesses is not so optimistic. I once worked for a manufacturing organization that was on the cusp of an ERP (Enterprise Resource Planning) cutover. Painstaking work had been done to ensure that all steps were accomplished and that everyone was ready for a successful go-live.

Training, communication, data conversion—all of the pieces were in place. Cutover weekend went without a hitch; the steps in the go-live plan were executed without issue. The first day live went off without major problems. The normal hiccups associated with a new system surfaced, but nothing unexpected came the way of the ERP implementation team.

On the second day after the ERP go-live, users quite suddenly lost access to shared network drives. Soon after, they began receiving errors when trying to save ERP transactions to the database. Then they abruptly lost access to the application entirely. Amongst all of the communication, they hadn’t even realized yet that their email server had gone down and that they were therefore no longer sending nor receiving communication. Their network had been completely compromised. Chaos ensued.

When people think of the most common reasons for an ERP failure, they normally speak of over-customization, or a lack of management support. They rarely think of ransomware. But for the company in question, getting ransomed over cutover weekend was the first step to a cascading number of failures. In a panic, the company reached for paper-based manual processes while communicating to customers and suppliers over hotspot connections, using the employees’ own private email accounts. It was a cyber mess on all ends and resulted in late shipments, efficiency issues, unhappy customers, and months of work to resolve. Time and talents could have been spent on things other than cyber attack recovery—if only the company had been prepared through preventive measures.

Companies Running ERP Systems Can Avoid Ransomware

The moral of this story is less than heroic: there are no super powers that can save a network that is unprepared, or insufficiently prepared, for an attack. And there are no super heroes to jump in and avenge the wrongdoing.  

Avoiding a cyber attack entirely is always preferable to avenging it after it’s happened. Many companies believe they’ve taken the steps necessary to mitigate a cyber attack. Enterprise risk management needs to be an ongoing activity, however, with business owners and executives involved in designing, understanding, and implementing a cybersecurity plan customized to the vulnerabilities of the industry under attack—because every industry is ALWAYS under attack. 

A company’s greatest vulnerabilities are often the ones that they never realized they had. The greatest risks are the ones they believe they’ve already mitigated. The company in this tale of ERP implementation security chaos thought they had done everything internally to secure their network. But their efforts were done in a vacuum, without any impartial opinions or outside analysis. They weren’t out to create a monster, but their vulnerabilities created a monstrous problem. They didn’t feel they were walking on enemy ground because the villians were hidden and undetected by current cybersecurity measures.

The lesson to be learned here is that malice often masquerades as magnanimity. The most significant threats to an organization are often clothed in good intentions.

Is Your Business at Risk of a Cyber Attack?

Could cybersecurity be the biggest problem you didn’t know you had? I’ll spoil the plot—cyber vulnerability, particularly the risk of a ransomware attack, is the biggest problem currently lurking within most businesses. Manufacturers are at risk of complete shutdown. Distributors face supply chain attacks on a daily basis. And there is no type of business that isn’t under attack. Law offices, financial institutions, hotels, medical facilities—all are under the threat of a cyber attack.

Are you feeling the cyber risk and wondering what you can do to protect your business? Don’t avenge your problems—prevent them before they’ve occurred. Get a security assessment, identify your vulnerabilities, and assemble your future. Know the problems you had yesterday and predict the ones you might face in the future of cybercrime.

Manufacturing Cybersecurity by the Numbers

Manufacturing Cybersecurity by the Numbers

Old Cyber Risks, New Cybersecurity Rules

Longtime NHL coach and living legend Scotty Bowman once famously claimed that “statistics are for losers.” For a game filled with numbers, that was a pretty bold statement. Around the same time, business author Peter Drucker, a legend in his own right, argued the opposite point, saying “if you can’t measure it, you can’t improve it.” There is certainly something to be said for “the bottom line” — the final score of a game is ultimately the most important number.

But a compelling case can be made that a winning game, a winning team, or a winning organization is comprised of many discrete elements, and that by seeking to measure and improve these key elements, the overall system will benefit accordingly. Our contemporary Moneyball sports world rendered Bowman’s statement a quant anachronism. Similarly, in the business world, managers and executives increasingly look for metrics that help them understand their areas of responsibility.

Manager, Technical, Industrial, Engineer, Working, Control, Robotics, Monitoring, Manufacturing Cybersecurity Technology

“Running the numbers” is not a substitute for successful management, but can be a valuable tool in its execution.

On that note, the National Institute of Standards and Technology (NIST) published a list of “20 Cybersecurity Statistics Manufacturers Can’t Ignore” which details some of the critical numbers that separate winning companies and organizations lost to the nefarious designs of malware, hackers, ransomware and the varying forms of cybercrime. From this list, a few highlights immediately come to the fore. By listening to the information embedded in the data, organizations can act quickly to mitigate the biggest threats that they didn’t know they had. A good manufacturing cybersecurity strategy can address old problems, predict new ones, and keep all operations cyber safe.

Ransomware Remains a Primary Threat to Manufacturers

The impact of ransomware on businesses has been monumental. According to NIST, 1 in 5 small or medium-sized businesses (SMBs) report that they have fallen victim to a ransomware attack. This makes ransomware the number one threat to organizations. Ransomware is unique among attacks in that it does not seek merely to damage the resources within a network. Rather, a ransomware attack encrypts company files, making them inaccessible to the organization and its users. Access to the decrypted files is only provided once payment to the assailant has been made. 

The effects of ransomware are immediate. When a company gets ransomed, all operations affected by the encrypted files come to a grinding halt. This has a cascading effect across the organization as it struggles to stay open during the crisis. This often results in delayed production, late shipments, confused inventory levels, and frustrated customers. To cope with the outage, the company normally resorts to a handful of painful workarounds that are difficult to unravel and clean up once the ransom has been paid.

Ransomers Attack & Manufacturing Cybersecurity Teams Rally

In DoD environments where data cyber security is key, the impact to a company’s reputation can be detrimental. As such, it is no surprise that a ransom situation can cause an organization to go out of business entirely. Worse still, the costs are increasing. According to NIST, over the course of a single quarter in 2019, the average ransomware payment went up by 13% to $41,198. The impact on an SMB’s cash flow should be self-evident. Hackers know no limit when it comes to ransomware targets, attacking companies of all sizes. For that reason, there is no reason to believe that your organization can hide under the hacker’s radar. Therefore,  manufacturers across the nation are increasing their investments in enterprise risk management and security solutions.

Microsoft Office is a Primary Vehicle for Malware

Microsoft Office has been a mainstay of organizations large and small. But the security risks of Microsoft files in an unmanaged environment are considerable. According to NIST, 38% of malicious file extensions come from Microsoft Office formats such as Word, PowerPoint and Excel, making this the most common set of file extensions. Microsoft’s Office suite has long been entrenched in the daily life of SMBs and manufacturers. Shop schedulers frequently define and redefine priorities using spreadsheets, SOPs utilize document formats for process control, and presentations to a company’s staff routinely take the form of a PowerPoint presentation.  

While these file formats are common, they are far from invulnerable, and the robust capabilities that Microsoft created within each format provides opportunities to embed hostile code that can detonate once the files are saved within the network parameters of an organization. And file sharing across the manufacturing community is widespread. It is common, for instance, for vendors and presenters at manufacturing conferences and trade shows to hand out flash drives containing promotional materials. Manufacturing cybersecurity policies need to include these activities because should these files be infected, the consequences of introducing them to an unprotected company network could be catastrophic. As such, companies need to take care in managing the devices that connect to network, and the safety of the files they contain.

Social Media Accounts Become a New Target

Social media is widespread, and manufacturers are increasing playing along in order to get more visibility for their products and more interactions with their customer base. But with the proliferation of online social interactions comes increasing risk. In fact, 63% of MSPs anticipate that hackers will increasingly target social media accounts, according to NIST. Similar to Microsoft Office, social media toolsets have increasingly found their way into organizations. Initially thought of as a distraction, these toolsets have become embedded in many organizations, allowing for more collaborative communication between suppliers, customers, individuals, and groups.

Like the Microsoft Office suite, social media platforms have been enhanced and expanded, with new capabilities added on a routine basis. But a single compromised account can compromise an entire network when accessed from within the network’s parameters. Worse still, given the continually evolving nature of social media platforms, the threats are similarly evolving. Business owners need to understand what role social media will play in their organizations, and how these platforms can be leveraged without excessive risk. Manufacturing cybersecurity measures should take into account all accounts, including those on Twitter, Facebook, and similar online social meeting grounds.

Ghost Security Breach

When it comes to cybersecurity for manufacturers and SMBs,

the numbers don’t lie.

The correlation between successful IT threat mitigation and business success is well documented. Understand the numbers and take the necessary actions to put the odds in your favor. Manufacturers can avoid a cyber security breach by taking it one step further by partnering with industry experts: managed services firms with cyber specialists lead the way in cyberattack mitigation.

Ready to assess the current state of your cybersecurity practices? Get a free whitepaper on best practices for manufacturers and strengthen your security strategy today.

How Manufacturers Can Prevent a Cyber Security Breach

How Manufacturers Can Prevent a Cyber Security Breach

Cyber security solutions are technological processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. Over the years, they have become a necessity in order for industrial firms to succeed. Manufacturing supply chains are often interdependent and integrated. Security within the entire supply chain will lessen any vulnerabilities that could impact the company as a whole. Manufacturers must prepare for a cyber security breach by way of proactive measures.

Cyber Security for Manufacturing Global Supply Chain Map

Has a hacker already gained access to your sensitive data?

All companies have private data that ranges from non-secure to highly secure information. This applies if you have one user, a million users, a million customers, or a supply chain with 500 million endpoints. This applies if your data is exclusive to networks outside of the United States or if you are global in reach.

Regardless of the size of the company, all companies include the following data within their protected systems, and this is the type of data that needs the highest level of endpoint security:

  • Social Security Numbers / Information
  • Bank Account Information
  • Personal Emails
  • Payroll Files
  • Account Information
  • Contact Information
  • Financial Records
  • Product Designs
  • Tax Records

Is your supply chain or customer data on the dark web?

If you have suffered a data breach in the past, the data included personal information, such as phone numbers or other personally identifiable information (PII). Leakage of such information could be fatal towards the growth of a company and its workers. Such sensitive information needs to be secured with proper cybersecurity measures. For companies that do not ensure these measures, the chances of survival within the digital world are slim. The only practical solution is developing ways to combat or prevent cyber risks.

Understanding Manufacturing Cyber Security 

In order to stay safe in a world where digitization is key to success, manufacturing companies have to stay prepared. The best way to prepare, understand and manage cybersecurity risks is by considering all areas that could be breached by an attack. By looking at such risks in a business, and from a legal standpoint, owners may aim to formulate regulatory procedures in order to avoid the damage that a cybersecurity attack can impose on their company. In order for a manufacturing company to not only exist but thrive, they must first UNDERSTAND:

Understanding the risk: First, one must understand that hackers aim to steal, exploit and disrupt the company’s work. This may not necessarily be a personal attack and therefore it must not be treated as one.

Narrowing down risks: Manufacturing companies utilize technology for a multitude of sectors within the company. Therefore, narrowing down where the weakest aspects of cybersecurity are would help avoid data loss or operational risk significantly. If an attack is successful, it is also helpful to know where the root of the problem may have begun in order to stop it.

Data access control: Data is one of the most important factors in cybersecurity. The reliance on a single password, as security for data information, leaves manufacturing companies unshielded from hackers. Implementing a series of security measures by ranking importance of data can establish a hierarchy that prioritizes confidential data. Making sure only limited personnel has access to the data will lower the risk as well.

Enterprising the risks: Since cybersecurity risk is such a prevalent aspect in technology, manufacturing companies must include a prevention plan in their enterprise. This includes spending the necessary funds to prevent any harm towards the company’s technology.

Readying for the worst: Another tactic is assuming that every cybersecurity breach will be crippling towards the company. This prepares staff through proactive methodology and technology.

Setting key roles in an incident plan: Defining roles in advance with a detailed plan will enable everyone to know exactly what is required of them in case of an attack. This will help in a time when it is necessary to move quickly. Everyone will remain organized and on task.

Training all employees: Manufacturing companies need to train all employees to know how to avoid human error, which is one of the highest risk factors within cyber attacks. Through training, proper communication can be established between IT (Information Technology) and OT (Operational Technology) workers. The creation of a community culture will enable proper guidance and action on security shortfalls.

Administering the company’s policies wisely: Cyber attacks in manufacturing companies range from light breaches to severe damages that shut down operations. Therefore, ensuring that effective policies are in place is essential. The entire company needs to understand the severity of even a small breach. Policies should be updated as new threats emerge. Staff should be informed of any backup strategies in place and also of planned disaster recovery steps.

Never forget the basics: Manufacturing companies should have a basic response plan in order to outline expected and anticipated actions. Routinely changing user passwords and checking all systems for vulnerabilities should be common occurrences.

Decoys for intelligence gathering: Deploying white collar hackers is another method that could prevent vulnerability to cyber attacks. Companies should place themselves in the mind of the attacker in order to gain more knowledge on how one may think. Therefore the company can counter the attack before a breach is successful. Using decoys allows manufacturers to actively identify and analyze trends in their system that need to be addressed.

The latest technology, including managed application hosting in the cloud, provides new openings for risk and reveals a general lack of effective security in companies of all sizes, across all industries. The manufacturing industry is particularly vulnerable due to complex applications and third-party software integrations. Manufacturers also have challenging compliance regulations that require intensive documentation and reporting. Small business IT solutions help manufacturers looking for partners who will help them grow without the burden of cyber risk.

Cyber security incidents put manufacturing companies at risk of shutdown

Zero-trust cybersecurity policies have become the most essential risk management strategy. The only way manufacturing companies can stay safe is by making sure they are secure on all ends. The first step is understanding the risks, then making the effort to make sure a security breach does not occur. This process utilizes security audits and penetration testing to gain full vision of all system vulnerabilities. In the chance that a data breach does occur, cyber protection and cyber insurance are critical for survival.

Prevent a Cyber Security Breach with Best Practices

 

 

cGMP Compliance & ERP

cGMP Compliance & ERP

What is cGMP?

cGMP stands for current Good Manufacturing Practice and, more than just initials, it is at the center of the US Food and Drug Administration’s efforts to protect citizens from potential hazards related to food and beverages, cosmetics, pharmaceuticals, and medical devices. ERP is the system used by businesses for accounting, inventory management, sales order processing and many other processes central to maintaining management control. ERP is where businesses keep the records that show they are complying with good manufacturing practice.

cGMP Compliance ERP

What does cGMP look like for manufacturers?

Process Control

Process control is critical in these controlled industries. We need to define exactly how our product flows through manufacture. Who will perform the necessary manufacturing steps? What ingredients or component parts are required? When does each step take place related to the previous and following steps? Where will we manufacture our products – in which facility and using which equipment? Why are we taking these measures to control our process? How will we document exactly what we did and compare it to what we said we would do?

Training

An ERP system has a record of each employee. That record goes well beyond payroll and human resources. If we add the training each person has had and their current work qualifications, we can use ERP to work with our cGMP process. We can now schedule specific people within our overall production schedule. The people scheduled are limited to only those who have required training and certification based on the rules we established within our business. Next we can use ERP to track exactly who worked on each manufacturing step. This enables us to pass any audits. We also now can know who might have made any error or failed to precisely follow our defined process.

Compliance Department

Inventory

Our cGMP includes a specific list of ingredients or component materials required to produce our product. Our list can further limit the materials used to those from specific suppliers or items commonly available from multiple sources. ERP helps us track each item by lot number so that we never inadvertently mix a lot in the same batch. Lot tracking sets up our ability to manage any potential recall. We know which output batch had an issue and know exactly which ingredient lots we used in that batch. We can also use ERP to avoid any chance of using an item beyond its shelf life.

Recipe or Routing

ERP provides us with the manufacturing path that we know meets cGMP. Step one is performed on certain equipment and specified operations must take place then. We can measure the outcome of step one and ensure production is ready for step two. Since we know the duration of every step, we can schedule equipment and personnel and provide the completion date and time for our customer.

Facilities and Equipment

Our cGMP specifies that products must be made only in approved manufacturing facilities and then only using specifically approved equipment within those facilities. The production schedules we use from ERP will use those limits and help us manage capacity requirements now and in the future. Manufacturers must identify what hazards might exist and establish control points best suited to capture and control those hazards. This requirement is known as HACCP or Hazard And Critical Control Points.

Testing and Measurement

Throughout the cycle of production, we will test and measure the product using values stored in the quality module of our ERP system. The tools we use are maintained and recalibrated as we define in cGMP and our test results include the specific tools used as well as the results. Testing and measurement looks for statistically significant variances and enables us to determine corrective and preventative actions and track those to completion all within our ERP.

Quality Management System

cGMP requires that we have an active quality management system that is fully documented. ERP is one of our primary record keeping tools and supports cGMP fully. Any business whose activities fall under the cGMP rules of the FDA should ensure their ERP fully supports their required control systems.

Are you facing ERP cGMP regulation challenges?

Our ERP consultants are here to help you navigate everything from ERP implementation to private cloud hosting deployment. EstesGroup’s managed IT specialists help clients with backup solutions, disaster recovery, hosting solutions, cybersecurity, and more.

Partnering with your ERP Consultancy

Partnering with your ERP Consultancy

How the Right ERP Consultancy Can Take the Risk Out of ERP Implementation

Implementing ERP presents many challenges. One of these involves the simple dilemma of finding good help. Implementing ERP is not a one-man band, but rather a symphony of interconnected members, each doing their part in the performance. Your ERP consulting partner is one such member of the overall team and can significantly impact the success of an ERP implementation. With that in mind, here are a few considerations that will help you make the best choice when finding a consulting partner.

ERP Consultancy Partnership Meeting

An ERP Consultancy Provides a Path of Success

Scope

At the beginning of your project, define what completion is and how to objectively measure the project’s completion. That definition might evolve as the project moves along, but it’s helpful to define your destination before you embark. This helps you understand how long you will need consulting assistance — completion means the consultant can move along to their next client. You will need to write that final check. Completion also means it is time for you and all the people in your enterprise to sit back and smile. Plan for that success.

Requirements

Consider the needs of your organization and the expertise you already have within your business. You might have a person you think is ready to lead your project: they have the skills and training, but a consultant could guide them and provide experienced mentorship along the way. Or, you might have a very lean organization and need to use a consultant as a full-time manager of the project and then plan to cut the consultant loose when the project is complete.

Culture

Culture is a very important consideration. The consultant who is successful working with a strict top-down leadership style will be different from a consultant who would succeed in an environment where each manager is independent and is expected to make decisions on their own. Your consultant must fit into your existing style and work well with your personnel.

Business Interaction

Negotiations with your consulting partner will begin with senior members of that organization. Those people might not be the same people who will actually work at your business with your own employees. Part of your agreement with the consultant should be control over consultant staff and their ability to get along with your employees.

Logistics

Provide your consultant with access to your systems, a place to sit, and an open communication line to everyone. Introduce the consultant to your staff and let people know who they are and the important work they will be doing on your behalf. Reinforce the call to open communications as needed throughout the project. Many ERP projects are a means of providing tools for future expansions or other plans that likely are confidential. Ensure the consultant understands and has signed appropriate non-disclosure agreements.

Change Management

You will hire a consultant that has the expertise to work with your business eventually to a successful completion of your ERP project. The relationship is not entirely technical. Your employees and system users all react to change in their own unique ways. Some will adapt quickly and embrace the new processes. Others will fight to keep the old process they are already comfortable using. Most will fall somewhere in between, neither fighting change nor immediately accepting change but will, in the end, use your new ERP system. A few might never accept the changes and will part from your business.

Managing change and helping your people along is one of the critical components of your ERP project. The ERP consultant you hire probably has the expertise you need in this area and you should take full advantage of it so your people can stay satisfied.

Data Management

Part of the ERP project will be data conversion from your legacy systems and loading that data into the new ERP. Many IT staff do not have the bandwidth to handle this work in addition to their current jobs. Often this work will be managed by your consultant. Consider who will handle data not only during the project’s duration, but also who will pick up the responsibilities thereafter.

Verification

As the project moves along, you will test specific transactions and the overall system to ensure the results meet your needs and expectations. Use your own people for some of the manual tests. Not only will they help with the project step, they will gain some training and become ambassadors representing all of your ERP users. The consultant will be a guide to setting up and managing testing. The consultant might have automated test processes too which will perform tests that follow your processes and repeat tests 24 hours a day. You will gain many additional test cycles and avoid human errors in testing.

Training

Think about how to train your people to use ERP when the project is complete. You can train a few to train the many and use your existing resources. You could also use the consultants to design and implement needed ERP training for you and your team.

Collaboration With Your ERP Consultancy of Choice

Fundamental to the idea of ERP is the notion of collaboration. Enterprise applications build bridges within the enterprise, and between the enterprise and the outside world. The act of implementing ERP is similarly an act of collaboration. In this light, when choosing a system integrator, ensure that they are an implementation partner, and not merely a consultancy for hire — for it is through people and partnership that the true benefits of ERP are realized.

Want to learn more about how an ERP consultancy can help your business?

3 Things to Consider When Upgrading From Epicor 905 to E10

3 Things to Consider When Upgrading From Epicor 905 to E10

People, Infrastructure, and Scope in an Epicor 905 Migration

A customer on the front end of an upgrade from Epicor 905 to E10 asked me for advice on ERP upgrade planning. I’ve long reflected on some of the keys to a successful Epicor 905 upgrade to E10—the lessons learned by decades of experience, and collected across countless end-of-project reviews. In light of wins and losses of the past, I’ve put together some thoughts on successfully upgrading an ERP system.

Working with consultants often helps in transitioning from a legacy ERP and gaining traction with the new version. This is especially the case if your business intends to leverage the upgrade as an opportunity to perform process changes, implement additional modules, or take advantage of new functionality. All of these things involve risk, largely due to the complexity of data amassed in the process. But if you consider your people, your infrastructure, and your scope, then an upgrade will be the best decision you can make for your future.

Cloud Consulting

Your People & Your Partners

Upgrading your ERP system is all about the people.

  • The people your upgrade will support
  • The people who will help make your application meet your goals

The Philosophy Behind Your People

Methodology: You want to work with folks who have a process for taking your company through the steps, so ’tis not a hodgepodge of random activity.

 

Expertise: I’d recommend you work with a consultancy rather than an independent “jack of all trades” — generalists are good for what they do, but I find the overall solution is superior when delivered by a coordinated team of folks. Look for specialization: Operations, Finance, Tools, Installation, etc.

 

Knowledge: This is where you want some good generalist know-how accessible to you when needed. For example, if you’re upgrading Epicor from 905 to E10, you’ll want someone around who has knowledge about 905 and expertise about upgrading to E10. This is especially helpful for tools considerations and code conversion, but not really important otherwise. The data from 905 to 10 is generally the same, and the functionality is also quite similar. If you have ABL code that you need to convert, you’ll want to partner with a team that has these skills.

 

Experience: This is key. In an Epicor upgrade, for example, you need folks who are strong in E10 and can recommend how the system will best run in 10, so that your transition is smooth and effective.

The Technical Nature of an ERP Upgrade

These considerations apply to any ERP, but I’m going to walk you through this with my Epicor consulting experience coloring the waters. In general, the move from Epicor 905 to 10 is technical in nature, with the change of the database and business logic layers from Progress to .net & SQL Server. Here’s a quick summary of some of the major changes and their implications:

 

Core Modules: These are very similar from 905 to 10 with some new sub-modules and lots of new bells and whistles. You’ll find many opportunities for changes in configuration, and some of these can create unexpected behaviors, so test carefully.

 

Updatable BAQs & Dashboards: These generally come over uneventfully, with a few tweaks. If they contain ABL code, some rewrites are required.

 

Embedded Customizations: These also generally come over uneventfully, with a few tweaks.

 

BPMs: Anything with Progress 4GL ABL code will need to be rewritten.

 

Configurators: Similar to BPMs, anything with Progress 4GL ABL code will need to be rewritten.

 

SSRS / Crystal Reports: 905 primarily uses Crystal Reports. In 10, these have all been converted to SSRS. If you have a lot of custom Crystal Reports, you’ll want to consider whether to rebuild these in 10 or deploy Crystal in the E10 environment.

At all levels, you have to assess the ERP system and the technology that supports it. When you’re upgrading a legacy ERP, should you also upgrade your servers? Will your system require new data management solutions like cloud-based disaster and recovery services? Are you facing new cybersecurity and compliance decisions?

 

Technical Considerations

Upgrading an ERP system demands skillful handling of data. This includes both the mind and soul of the ERP: the strength and spirit of the application. With on-premise, hosted, and SaaS solutions now available as ERP infrastructure options, your upgrade should include technology assessments both in and out of the software.

Upgrade vs. Reimplementation

Think about whether you want your ERP upgrade to be a straight, utility-driven upgrade from the legacy to the current version or a reimplementation. We’ve worked with customers who have gone either way.  We’ve found that reimplementation efforts tend to take longer and cost more, but leave you with a much cleaner data foundation.

A Data-Driven Epicor 905 Upgrade

If you’re trying to pull off some configuration/business process changes as part of the upgrade, this is easier to do as part of a reimplementation. If running Epicor and you’re looking to do the straight, utility-driven upgrade, I would recommend partnering with Epicor specifically to do the database conversion/upgrade. They have proprietary tool (“Cirrus”) that performs this upgrade, and it’s really the best way to do this. In the past, with early versions of 10, the upgrade toolset was part of the Admin Console, and partners like us performed the upgrade. Prior to the upgrade, we also had to request data scrubbing programs to run in 905 prior to the actual upgrade. These helped prepare the data for the 905 > 10 conversion.

Over the course of the last few years, Epicor developed the Cirrus toolset that performs the database uplift. This incorporates all that scrubbing and referential integrity stuff to successfully migrate the DB. These capabilities are not built into the admin console upgrade capabilities, so my understanding is that a better-quality uplift is achieved by working though Cirrus. As a customer, I would be working through Epicor to get the DB upgrading it, and not relying on the admin console. In reviewing the feedback from the Epicor user community, I think that the general consensus would be to leverage Cirrus when possible.

The Project Scope: Budgets & Ongoing Planning

Begin with your history. How to handle your historical data is unique to your project, and you might want to bring in a consultant to help you make decisions around the complexities. There are a number of additional budgetary/planning considerations that should be made at the onset of an upgrade project. Here are several that we normally work though with our customers:

  • Project Management: Do you have an on-site PM who will handle more of the PM duties, or do you want the partner to assume those?
  • Server Install/Configuration/Tuning: Who do you have for technical staff to assist with server-side activities, or do you want the partner to assume those?
  • ABL Code Conversion: Who do you have for development staff that can assist with code conversion, or do you want the partner to assume those?
  • Cirrus Upgrade: Are we working through Epicor to do the Cirrus upgrade? If doing a Cirrus upgrade, you should plan for that cost.
  • Delta Education: Do you want to self-educate or have your partner provide ERP training and support?
  • On-site Consultation: Do you want to have consultants on-site to assist, or do you want to have the partner working remotely and on-site on an as-needed basis?
  • Milestone Prep: Do you have resources that can perform the prep activities, or do you want the partner to assist?
  • Milestone Verification Events: Do you want to conduct CRP and UAT events on your own?
  • Gap Closure: Do you want assistance with gap closure, or do you want to spearhead this?
  • Customization/Tools: Do you have an internal resource to perform any new tools work (customizations, BPMs, reports, etc) that would be part up the upgrade project?
  • Data Conversion/DMT Assistance: Do you have a data-savvy resource who can own DMT & data questions and query the data out of the existing system, manipulate it to load into Epicor, and run the DMT tool to load?
  • On-site Support at Cutover: Do you want on-site support at cutover?
  • First Month-End: Do you need on-site finance support for the first month-end after cutting over, or do you have strong Epicor-savvy internal financial resources?

Upgrading an ERP system can be challenging. It’s a highly rewarding endeavor, and the outcome justifies the move. Good luck on your journey, and reach out to our experts with any questions you have along the way! 

 

Please fill out this form to get an ebook with tips on how to upgrade your cyber resilience strategy. You’ll also receive occasional insights from our team about ERP technology, including cloud services like ERP hosting.