27 Oct ERP Security Management For SMBs
ERP security and its management is a key factor when considering an ERP implementation partner. Also, one of the most important criteria that differentiates ERP implementation companies is trustworthiness. The well-structured approach to ERP security management should be amongst the top priorities when making a final decision in ERP selection. In this article, we will analyse what core elements are important for successful ERP security management, both for companies that are reviewing the elements of Enterprise Resource Planning, and those who already have it implemented and are looking to get to the next level of improvement.
ERP Security Management for SMBs
As a fully integrated system, ERP automates companies’ workflows simplifying budgeting, resource planning, accounting, client and supplier management, supply chain, sales and marketing and many more. These processes require access to aggregated and integrated data, both related to the company, as well as personal and business data from third parties. And in the current digital era, information is a valuable asset, so under the constant threat to be compromised or stolen. What data is at the greatest risk? Financial business data, contracts, invoices and orders, personal information of employees or clients etc. You may ask why is ERP security so important? With the prevailing strict guidelines to data protection in the EU under the General Data Protection Regulation (GDPR) laws and in the US with The California Consumer Privacy Act (CCPA) companies within the UK that have clients or partners not only within the UK but in the EU or USA, should ensure that their client’s data is well protected.
Since ERP Systems store and have access to data which concerns not only your business but other parties with whom your company cooperates – employees, suppliers, partners, clients, investors, public organisations etc, its a primary target for hackers because all data is centralised. It’s very important to predict the potential vulnerabilities of the company and cover them together with the ERP implementation company. Some of the most crucial security aspects were summarised by Van de Riet, Janssen, and Gruijter. They include:
- Security policy and administrator: ERP implementation should be accompanied by a clear and well-defined security policy, which can be easily maintained. The security policy has to regulate the access to an ERP system and to put constraints on ERP admins when they are granting permissions to users.
- User authentication: ERP system has to have means to verify if the user is the same person whom he/she claims to be.
- Separation of duties: you should define clear roles within the company with well-defined tasks for each role and separate levels of access to different levels of data in the ERP system.
- The authorisation rules: needed for verification of users and permission of their access to different data.
- Time restriction: access to the ERP system can be performed only during certain time frames.
- Logging and tracing: all the corresponding processes should be protected from the break.
- Additional security levels: database security, network security, workstations security and operational systems security.
Top ERP System Security Challenges
Nowadays, businesses are at great risk, because many hackers are more interested in hacking enterprises than just ordinary people. And since many companies use ERP systems, and its centralised source of all companies’ data, they become the primary target for attacks. Although many security features are built-in to the ERP systems and cover most business processes, very often have unique requests that need additional personalised customisations or use of specific extensions. The main challenges are associated with the protection against the risks connected to the traditional CIA concepts (Confidentiality, Integrity and Availability), such as Espionage, Sabotage, and Fraud. So, let’s analyse what vulnerabilities are the most common and should be covered as the priority:
- Use of old ERP software versions, archaic web interfaces and poor technology configurations – increases the risks of data losses due to viruses attacks, malware attacks, etc. The solution is to keep your system, as well as third-party applications constantly up to date. As soon as new versions are released, to have them updated.
- Keeping important information outside of an ERP system – very often employees like the functionality of the programs they were using for years, like Excel or Google spreadsheets, and they use these tools for data storage and analysis, which is a major problem for company management in terms of data protection and unauthorised data access control.
- Access to data without restrictions – the fact that all employees can benefit from the use of an ERP system in the company’s business processes management doesn’t mean they can have similar permissions to access data stored within the system. For example, employees from the purchasing department don’t need to have access to clients details, sales department employees don’t need to have access to suppliers details, the marketing department does not need to have access to contracts or invoices, or clients’ billing information, etc. The solution is to define which departments within the company need to have access to specific types of information, and grant the permission accordingly.
- Poor shielding and lack of protection from DDoS attacks – an attempt to disturb the normal functioning of a targeted server by sending a flood of internet traffic. A target can be not only servers where ERP is hosted, routers or computers, but also if a company uses external IoT devices, they can be attacked too. Read more about the use of IoT devices here. The solution here is either to make sure that your ERP provider has functionality for DDoS protection built-in or to use third-parties integrations to protect your business.
- Poor training of employees on IT security, lack of security policies, access to systems of ex-employees. Among such threats as data theft and commercial espionage, one of the most common internal attacks is also payroll fraud. The solution to this threat is a clear policy of how and when an employee can access data if he/she can download them, transfer or make screenshots, and when he/she loses the access in case the cooperation with the company is over.
- No response plan available – companies usually believe that they are not the one which will be attacked or hacked, especially if they are small or medium size. They believe that if they are not big multinational companies, they are not interesting to hackers. But it is not so. And when attacks happen, they fail to react fast and correct to protect data losses or other damages. That’s why it is important to have a clear plan on what has to be done in case any attack happens. But it’s not the only thing companies should care about. When choosing the ERP implementation vendor, make sure they have a clear and well-defined disaster recovery policy, which will save you a lot of nerves in any unpredicted situations.
- ERP systems with remote command execution vulnerabilities are a direct target for ransomware attacks when hackers download malware that can be automatically installed and run when users run the ERP application.
- Unprotected third-party integrations is a vulnerability which has to be taken into consideration very seriously because ERP systems rarely function without integrations with external applications. And these integrations need to be protected and well-monitored too, as they can be a potential backdoor for hackers.
ERP Security: On-Premise vs. Cloud
On-premise ERP puts on the company full responsibility when it comes to ERP security management (from managing the servers where data is hosted, to protecting access to the network, and maintaining the security of the system). On the contrary, in the cloud ERP, the responsibility for security management is split between business owners, ERP vendors, cloud service providers (e.g. Amazon Web Services or Microsoft Azure) and in case the implementation is done by the ERP consultants, they are sharing the responsibility too. Such a model is called a “shared responsibility model” and allows to diversify the risks associated with ERP security management.
The levels of responsibility change according to the type of service – infrastructure as a service (IaaS), platform as a service (PaaS) or software as a service (SaaS). In the IaaS model, business needs to manage virtual machines, make sure that the virtual network is secure and secure all applications within the network, but they don’t need to take care of actual hardware which hosts the applications in data centres.
In the case of PaaS, the client gets a platform for use, so this puts additional responsibilities for data security management onto cloud service providers. These responsibilities include not only IaaS security management but also the management of virtual machines and virtual network security, although business managers are still responsible for the security of data and applications.
In the case of SaaS, the provider is responsible for all the above-mentioned elements for IaaS and PaaS and the applications. Business managers are responsible for data security in this case. So, no matter what type of solution your company uses, it’s important to make sure that all elements are well protected and all security requirements are being met.
The other key differentiator of cloud ERP security from on-premise ERP security is the way that ERP is accessed. With on-premise ERP, data is stored in the on-premise environment, which means physical presence in the company’s office or the company’s network. Employees can access ERP from their work PC/laptop on the company’s network, and it is very simple to track and control the access to ERP and company’s data since the access points are easily monitored. In the on-premise ERP main responsibilities for security, management goes onto the IT department of your company. In a cloud ERP employees can access company’s data via a browser and this allows access to ERP from any device with internet and a web browser installed, or ERP application installed to access all company’s data. If several third-parties are accessing your company’s data from different places, in case of the breach, it’s not easy to identify where the security is compromised.
Cloud ERP vendors allow third-party integrations via API which allows access to company’s data and brings many benefits for a company, but it also adds a layer to cover in terms of ERP security. In case of API integrations, it is very important to plan what permissions it will have to create, read, update and delete data. Not all permissions should be granted for the correct functioning of an API, and identification of the right ones should be a priority process.
The reputation of cloud service providers heavily depends on the approach to IT security management, and in case any breaches happen, even if they happen not due to the cloud service provider’s fault, their reputation will be affected. That’s why they pay much attention to automatic identification of any potential system weak spots with the help of machine learning. In the on-premise ERP, there is little to no automation in terms of connection to third parties. This puts additional responsibility on the company’s IT department.
If your company is considering a change from on-premise ERP to cloud, you have to be clear that there is shared responsibility for security management which includes the ERP provider, the ERP implementation company and your business. Although Cloud ERP has very high standards of security management, your company will still have to add more security levels and controls which will be very similar to ‘on-premise’.
This article is not addressing all the key elements of ERP security management, but we will post more about this topic, so follow us in social media to get the updates. We implement Acumatica and believe it’s one of the best systems when it comes to security management. If your company is thinking of an ERP implementation and needs proper security management feel free to contact us.