02 Dec ERP Security Best Practices
Understanding ERP Security Best practices is the cornerstone of success in ERP implementation and ongoing management. In the first part of this article (ERP Security Management For SMBs), we described the key elements of cloud ERP security management. In this article, we will analyse the practical side of this complicated and multi-level process. Without the well-planned and organised security management it’s impossible to build a strong foundation for further business growth because of unanticipated events such as cyber-attacks, data leakage, commercial espionage, negligence and many more. If your business is not ready to confront this security menace you risk losing control over operations and your data at any moment. In this article, we will discuss the types of controls needed, cloud ERP security benefits and best practices, vendor selection and other important security aspects.
Cloud ERP Security Benefits
Handling of cloud ERP security is much easier in comparison to on-premise systems because of the shared responsibilities for security management between cloud providers and the company which uses the ERP software. But let’s analyse what other benefits a cloud solution can bring.
- ‘Cloud technology helps to decrease security management costs’
How does this happen? Again, shared responsibility plays a great role here. Part of the security maintenance responsibility lies in the cloud solution provider. This helps to cover risks associated with detection and reaction to the security threats on time and is usually handled as a part of services provided on a subscription model, where security management is by default included. This allows the IT team to focus on more important tasks for security management and allocate human resources better.
- ‘Cloud technology helps to decrease the time spent on software updates’
Automatic ERP software updates not only help to reduce time spent on getting internal permissions for any software updates from the company top management and departments working with the ERP directly but also to reduce the possibility of temporary vulnerabilities due to outdated software.
- ‘Cloud technology helps to meet security compliance requirements’
Cloud ERP providers offer not only data encryption which allows you to keep your information safe and meet the security compliance requirements, but it can also help to protect the business from DDoS attacks or to handle their consequences much faster with the help of cloud providers.
Cloud ERP Security Best Practices
- Develop a comprehensive security policy
ERP security protection should be handled in the company as an ongoing process, where the responsibility for data security is put into everyone working with the ERP in the company or external partners working with the company. Since ERP is the source of centralised information from different departments within the company, it also means that people from these departments can have access to these data from different places, utilising the benefits of cloud technology. So security policy should include not only guidelines on how to handle ERP within the office but also the company has to educate employees on how to keep the ERP protected when working out of the office. Education and raising of security awareness should be a priority for any business, which uses ERP systems.
- Create a full list of potential threats
All departments within the company should participate in the development of a comprehensive list of potential threats, vulnerabilities and risks associated with the use of ERP. If a company has an IT department, the leading role for the development of this list goes into it. But if a company is too small and doesn’t have an IT department, top management of the company together with the ERP implementation provider should develop such a list.
When the list is ready, top management will have to go through each item one by one and assign priority level, based on the potential damage to the business if any of the things listed happen with the business. This helps to allocate resources for security management according to priority level and know how to react in case needed. Additionally to this plan, a company should have a list of what threats are covered by cloud ERP providers, what by ERP implementation consultants, and what by the company itself. Define which risks can be accepted as they are, which should be addressed immediately and which can be treated later and assign responsible people or departments to every risk, which will be responsible for decision-making and handling of this risk.
- Create a global unified approach to ERP access management
Centralised global control over access management is a key element when it comes to prevention of unauthorised users from accessing critical business data. It concerns both, times when new employees join the company and they need to obtain the correct level of access to data as well as times when employees leave the company and their access to ERP software should be revoked. Companies should also control the access to data of different departments and employees according to their positions and job roles, allowing access to data only needed to perform their tasks.
- Develop a list of controls to treat risks
Controls can be divided into technical, (like encryption, firewalls, user authentication etc), procedural or administrative (training, awareness, segregation of duties, contracts, etc) or physical controls (security cameras, alarms, laptop locks, etc)
- Develop a disaster recovery plan
When the list of threats, risks and vulnerabilities is ready and the impact of each item on business continuity is defined, top management of the company and implementation partner has to develop a disaster recovery plan for each item. This should also include the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Recovery Time Objective reflects the amount of time during which an ERP can be down, without causing significant destruction to business operations and damage to the business. Recovery Point Objective reflects the amount of data that can be lost or damaged before the no return point.
- Develop a business continuity plan
Disruption in business operations and processes my wreak havoc within the whole organisation. The concept of business continuity management refers to the capability of the company to deliver products or services according to their responsibilities during the disruption (at the pre-agreed capacity and within acceptable timeframes).
Although disruption can be caused by many different factors like natural disasters, power outages, fires, floods or others, the loss of access to an ERP system or its malfunctioning can be not less destructive.
To develop a business continuity plan, top management of the company has to define the needs and expectations of all the parties involved in the use of ERP systems within the company. When the needs and expectations of all parties are well defined, the part of the scope of the business continuity management which concerns ERP functioning can be defined. A company should have clear and simple guidelines for any potential risk – how to handle the process of business continuity management in case the defined situation happens, taking into account the needs of all parties to define the priority of actions. It is very important to have everything documented and inform employees where this document is stored because in case of disaster, employees are in stress and it is much easier to handle any situation following simple predefined steps than to end up with more problems due to the wrong handling of the situation.
- Make sure the ERP software is updated on time
Make sure that your ERP is updated as soon as there is a new version release. They usually not only include new or enhanced features but also updates concerning security vulnerabilities. Updates of cloud-based software is a much less complex project in comparison to on-premises software, and companies can benefit from this in multiple areas of business, including security management.
- Control integration security
The flexibility of an ERP is based partially on the possibility of having extended functionality with the help of third-party integrations, creating a unified system. The connection between ERP and third parties is performed via APIs, and this creates additional vulnerable elements within the system, prompt to data breaches. The business has to perform regular checks of potential weak spots and perform security audits (external or internal). The procedure of data recovery in case of loss or damage should be documented on the business continuity management scope.
- Raise employees’ security awareness
The weakest point in any security system is the human factor. Companies have to ensure that their employees are well informed and aware of modern hacking techniques and trained how to recognise them. Especially when it comes to people working with important business information, which is processed and stored in ERP systems. They are among the first targets for commercial espionage or other security threats. Develop security training programs for employees and make sure that they are constantly updated.
- Use segregation of duties
Segregation of duties is simple, but yet very powerful security control, which allows decreasing the probability of fraudulent behaviour. The application of the concept of segregation of duties requires at least two people to perform any important actions or make impactful decisions. For example, important transactions within an ERP are initiated by one person and approved by another, one person requests confirmation for action and another confirms and many other variations.
- Protect the Internet of Things (IoT) devices
We have an article about IoT and ERP integration benefits for the supply chain industry, where you can read more detailed how IoT devices help in business. Data gathered and by such devices is sent directly to an ERP, where it is processed and stored. Malfunctioning of the device (due to software bugs, hacking or other reasons) can lead to significant problems with understanding the real picture of current business operations and processes or making them a target for access to company data sources.
A company which uses IoT devices has to make sure they monitor the health of all devices, find out and resolve any problems, update software in case needed.
ERP System Security: ‘Residual risks’ and ‘Reasonable Assurance’
To minimise risks associated with ERP security, a company has to utilise several types of controls in an ERP environment: IT general controls, Application (or ERP software controls) and ERP implementation assurance controls.
Internal controls are a set of company’s policies and procedures, which serve three main purposes – maintain the effectiveness and efficiency of business operations, ensure company’s financial data reliability and help the company to comply with laws and regulations. But here the concept of “reasonable assurance” should be taken into account. It means that within any system unpredictable risks, limitations or uncertainties, which nobody can predict, might still exist.
Residual risks are the risks that remain even after controls are implemented for mitigation purposes. Companies have to decide if the residual risks are acceptable or not.
ERP security management requires a complex approach and well-structured plan for its implementation and maintenance. The final result has to make sure that the three main properties of the information, the CIA triad (confidentiality, integrity and availability), are protected.
For confidentiality property, the company has to ensure that information stored or processed in the ERP is not made available or disclosed to unauthorised parties and that only intended recipients have access to it.
For integrity property, the company has to ensure that ERP system is protected from the unauthorised alterations of data while it is stored, transmitted or processed as well as protected against external threats like malware or against mistakes made by employees who have access to information.
For availability property, the company has to ensure that the ERP system is protected from the interruptions of authorised users to access data whenever they need it.
All the above mentioned ERP security best practices have to ensure that these three information properties are protected at all levels.
If your company is thinking of an ERP implementation and needs proper security management feel free to contact us.