Give Us a Call: 866 460 7765 | info@projectline.ca
Your ERP system is the center of your business, housing mission-critical data across all areas of your business. With the average number of cyber attacks per company increasing by 32% in 2021, protecting that data from outside threats is more important than ever.
For SMEs (small to mid-size enterprises), staying on top of the latest threats and properly securing your ERP system can be a real challenge. Chances are you don’t have resources dedicated to IT security the way larger organizations do. And many IT professionals lack expertise in ERP security. Ultimately this leaves smaller organizations vulnerable to cyber attacks – according to research from Cybersecurity Magazine, 43% of all data breaches involve SMEs.
Whether you're going through an ERP implementation or you've been live for a while, we recommend starting with these ERP security best practices to minimize your risk.
If even one piece of your ERP system is compromised, your most valuable data across the entire business can potentially be exposed. This can have a significant impact on your business including:
While the risk is clear, properly securing your ERP system is complex. You’re dealing with security for infrastructure, networks, operating systems, integration points and the database itself. This is why SMEs tend to be more vulnerable – general-purpose security measures don’t cut it. You need people who understand the ERP database, cloud platforms and web services (like your ERP partner).
A quick note on deployment models before we dive into best practices. With a cloud solution (private or public), security is a shared responsibility between your company and your cloud provider. This is what the split typically looks like but talk with your provider to make sure you’re both clear on your responsibilities.
You’ll handle the human side of things – enforcing password policies, training staff on security protocols, managing user authorizations and installing regular updates.
And your cloud provider will look after the following:
If you run an on-premise ERP solution, you’ll be responsible for all security measures, backups, data restoration and system monitoring. Few SMEs have the internal resources to manage this properly, which is why many are moving to a private cloud option.
Having a clear picture of your ERP landscape will help you identify potential weak spots that need attention. Consider all elements of your ERP system including processes, master data, infrastructure, storage networks, interfaces and integration points with other applications.
Once you’ve identified potential vulnerabilities, assess the implications of a hack.
If you integrate with other best-of-breed applications, make sure you understand how they’re secured. Do they use multi-factor authentication (MFA)? Is the data encrypted? Does the vendor provide system monitoring?
Let’s say you have a 5-character password with a combination of numbers, upper/lowercase letters and symbols – how long do you think it takes a hacker to get your password?
According to Hive Systems – instantly.
The days of using your favorite go-to password for every account (qwerty123 anyone?) are long gone.
As much as your team might find it annoying, setting complex password policies and enforcing regular password changes is essential to ERP security. Here are the latest recommendations from Cyber News:
To make it easier for your team to manage all their complex passwords, consider rolling out a password manager like Dashlane. These tools allow you to randomly generate strong passwords, store them securely and monitor for duplicate passwords or potential breaches.
Multi-factor authentication is becoming the norm for web applications – you likely use it for your banking and even Facebook. Yet over 40% of companies still don’t use MFA on all potential ERP entry points.
On top of those strong passwords, MFA gives you an added layer of protection by asking users to confirm their identity through either a text or an app like Duo. For public cloud ERP software, like NetSuite, two-factor authentication is typically triggered right from the webpage where you login. If you’re running your ERP system on-premise or in a private cloud, you can attach a multi-factor authentication procedure to the remote desktop or remote app login.
Outdated software can present an increased security risk. Whether it’s your on-premise ERP software, Windows operating system or another application that interfaces with your ERP, create a policy to implement updates regularly. With public cloud software, the vendor typically performs upgrades automatically, giving you access to the latest security patches.
The rule of thumb for user authorizations is to only give people access to the information and functionality they need to do their jobs – and nothing more.
For your ERP software, this should be strictly followed. Do a user audit to understand what roles you have and the permissions they currently have. If they have more than they need, adjust authorizations as needed, then document your policies. You’ll also want to review employee access anytime there’s a role change within the organization to ensure their authorizations still reflect the requirements of their job. And finally, add an item to your employee departure checklist to make sure user accounts for your ERP system and any integrated software are deactivated when someone leaves your company.
Most cybersecurity issues are the result of human error. Someone unwittingly clicks the link to a fake invoice (not noticing the sketchy email address) and suddenly your network is at risk.
Given how quickly cyber threats are evolving, training your team isn’t a one-and-done event. You need to provide ongoing education to ensure everyone understands your policies and their role in protecting your systems. Your IT team should dedicate time to staying current on the constantly changing threat landscape and adjusting your security practices as needed.
For your larger team, focus training on:
Training requires a time investment but remember that human error is your top vulnerability and well-trained people make fewer errors.
Even with all the right security measures in place, you want to be prepared for an incident before it happens. That’s where your incident response plan comes in to help you detect security events and take the appropriate steps to solve the issue.
Your plan should include:
Nothing in life is guaranteed. So, when it comes to your mission-critical systems and data, you plan for the worst and hope for the best. Implementing these ERP security best practices will help you do just that.
If you’re searching for new ERP software and want to chat about the security implications of cloud versus on-premise ERP (or public versus private cloud), reach out to us. Our team is here to help.
Join other SMEs who receive our monthly ERP insights, tips and best practices.
Sign up for our newsletter to stay in the loop on ERP solution updates,
training and events
PROJECTLINE SOLUTIONS INC.
We're a leading ERP (Enterprise Resource Planning) implementation and support partner for small and mid-size businesses across the US and Canada.
QUICK LINKS