As long as IT assets are accessible online (and sometimes even when they are not), there’s the risk of a cyber-threat. There’s no firewall or security measure strong adequate to entirely ward off the possibility of a security breach; enterprise IT is always meeting there waiting for the next attack.
This is true for any commercial IT system, and definitely the case for ERP systems housed in the cloud, allied to other systems online, and granting access to a wide range of employees with various skill sets and levels of security wakefulness. An ERP system is never truly safe.
There is a lot that businesses can do to minimize the risk, however. Here are six ERP security basics you should be following.
Let’s be clear: The prime risk to your ERP system is not outside your company, but within. Human error and mischievous or disgruntled employees pose a far superior risk to your ERP than Ukrainian hackers.
Make sure you minimize the risk of insider threats by having in place a system to revoke ERP access when an employee leaves the company or changes roles, and you enlarge policies and procedures for basic security training, BYOD access, and things like strong password management.
Line human resources do not need access to all the manufacturing data in your ERP system, and sales staff should not have access to an ERP’s HR modules. Take a guilty stance to ERP access by only granting rights that directly pertain to an employee’s job function. This helps limit the scope for compromising an ERP system.
For example, employees who can authorize and access purchase orders (a purchasing function) should not be able to process payments (an accounts payable function).
If I had to give only one recommendation for companies with a limited budget for ERP security, it would be to reduce the stash meant for the SoD program and spend at least a portion of that on vulnerability management and code analysis.
Consider using cloud security services to check for these potential holes.
Enterprises can apply automated source code scans to detect and eliminate security flaws at an early stage in the development cycle.
it also is important that businesses choose an infrastructure-as-a-service provider with strong security practices in place since some of the necessary security is handled by the provider and not the business itself.
The programming used for off-the-shelf ERP modules may or may not be secure, but chances are good that your ERP vendor has a pretty good eye for that code. The bigger threat comes from the custom code within your system that has less testing and fewer eyeballs on it.
These applications may have vulnerabilities unintentionally left by developers, for instance. Or, the developer might have written in a backdoor that could be used for malicious functionality at a future date, such as sending information of every matter to a third party via email.
Even if your office building requires security badges, there’s still the need for guards and receptionists to watch over the premises for unusual behavior. Things happen; security gets compromised. So having a menace detection solution in place to monitor your system in real-time is another important step for ERP security.
Part of that monitoring should include checking of unusual behavior, not just the obvious security breach.
So if you have a threat recognition program for detecting malicious events and you should extend it to also detect anomalous events.
Finally, no good ERP safekeeping stance is complete without regular auditing and review. Make sure you have procedures in place for periodic, third-party security auditing to help ensure the early detection of new security issues. The threat landscape is not static.
Security-focused function design and high-quality code can often be overlooked in ERP security functions.