peach_fotolia - stock.adobe.com
Because ERP systems house so much critical business information, ERP security is a paramount concern for all companies.
ERP systems can be more difficult to secure when employees are working from home. As the pandemic's uncertainty keeps many workers out of the office, companies must take steps such as implementing multifactor authentication and regularly updating software to ensure their ERP's sensitive information won't become compromised.
Here's a look at the differences between on-premises and cloud ERP security as well as some of the best ERP security practices to follow.
On-premises vs. cloud ERP security
Understanding some of the unique factors impacting cloud ERP security versus on-premises ERP is vital. Believing someone else is responsible for an application's security if it's hosted in the cloud is a dangerous misconception. This is not the case, and every employee, not just technical staff, must believe otherwise.
Many cloud service providers have security add-ons for ERP monitoring and protection, but the reality is no outsourced vendor will likely care as much about security as the company whose data may be vulnerable. In addition, the vendor may not understand how to meet a specific organization's requirements for a truly resilient ERP environment.
Whether an ERP system is on premises or in the cloud, the following best practices can help mitigate common risks.
1. Implement multifactor authentication
Multifactor -- sometimes referred to as two-factor -- authentication (MFA) can be a valuable part of account security. Since most modern ERP systems are web-based, the risk of user credential exposures is often high. This is especially true because of the following:
- Personal login credentials are often co-mingled with business login credentials. If personal passwords are compromised in a data breach or malware infection, exposures can result.
- The ERP system may not have intruder lockout to prevent password cracking attacks.
Many ERP systems, both on-premises and cloud, support or include MFA as an option. Enable it across the board when possible. Compromised credentials can expose critical business information, and two levels of authentication can mitigate that risk. Most employees are likely accustomed to two-factor authentication by now.
2. Require password best practices
Basic password complexity requirements can go a long way toward protecting user credentials. Some employees may chafe at strong password requirements, but they're necessary in today's world of threats and vulnerabilities.
If objections to password complexity continue, lengthen the amount of time before users must change their passwords -- for example, requiring a password change every six months rather than every 60 days. Also try to get management on board with strong password policies and educate users on how to pick easy-to-remember passwords that are nevertheless virtually impossible for an attacker to guess or crack.
3. Stay on top of software updates
Vulnerability and patch management can be difficult, but a system missing several-years-old patches is incredibly easy to compromise. Many companies' networks include workstations and servers that are not properly maintained, and missing software updates can facilitate malware infections and unauthorized remote access.
All it takes for full ERP exposure is a missing OS or application update or even poorly written code that allows for vulnerabilities, such as an SQL injection. Patching periodically and consistently is key.
4. Educate users now and in the future
Often there's an us vs. them feeling in the relationship between users and IT and security staff. Some users may assume technical staff are taking care of everything and that they can do whatever they please since someone else will have a presumed safety net to catch them if they fall.
Involve users in the security decision-making process and ask them what would work best from their perspective. Make them feel as if they are part of the team rather than outsiders who may make mistakes.
5. Create and build out an incident response plan
Few organizations possess well-documented and fleshed-out incident response plans. Without a proper incident response plan, everyone's scrambling when a security event actually occurs. Think of the who, what, where, when, why and how of responding to security incidents and breaches well in advance of them occurring.
Start with a base incident response template, then build it out and make improvements to the document, processes and tools over time.
6. Test, test and test again
Many organizations have yet to acknowledge the threats and vulnerabilities impacting their ERP system. From mobile devices to workstations to the ERP application itself, weak links are likely creating unnecessary security risks.
Move beyond policies and higher-level checklist audits and perform detailed vulnerability and penetration tests of the environment. Make sure to look in all the right areas for flaws and weaknesses -- all hosts, all software, all people. Another good exercise is threat modeling, which can help identify threats and their origin.
7. Monitor the system
Few companies are proactive about system logging, alerting and ERP system or network monitoring. Why? Because whether it's on premises or cloud, it's not easy and it's not cheap. But responding to security events is impossible if you haven't previously sought out potential problems.
Many organizations implement their own security operations center and security incident and event management system in-house, and that can work well. However, that strategy can also create more of a burden for IT staff.
When in doubt, outsource this function. Cloud vendors may be conducting certain monitoring already or may offer it as an add-on option. Just make sure that someone is doing it.
8. Create a plan for the future
The proven approach to running an effective information security program and supporting a resilient ERP environment, no matter the type, is to follow these steps:
- Know what's there. Be fully aware of all the functional parts of the ERP system.
- Understand how the system is at risk. Perform appropriate and adequate security testing like in-depth control audits and, especially, vulnerability and penetration testing.
- Do something about it. Implement the proper controls to eliminate or at least minimize the identified risks' impact. This includes both technical controls and soft controls involving user education.
Diagnosis is half the cure, but IT and security teams must take the appropriate steps to fully mitigate the identified risks. Most organizations are deficient in one, if not all three, of the above areas. Unless and until each of these areas has been properly addressed, an ERP environment is at risk.
Big improvements are possible. The most important step is to get started today.