Serg Nvns - Fotolia
As millions in the United States are suddenly forced to work at home and overworked IT teams address new technical challenges, hackers are sharpening their skills. Now, more than ever, it's critical to be vigilant about ERP and enterprise security.
The role of leadership
There are many lessons to be learned from the COVID-19 situation.
In terms of information security, the security governance committee, which should include both the CIO and CISO, should revisit and address information risk and its oversight. Now is the time to update information security policies in the employee handbook and in other documents so they cover ways to keep the company's ERP and other systems safe.
The role of information security teams
IT and security teams and those responsible for the ERP system need to understand new challenges brought by the COVD-19 pandemic.
It's challenging enough to address the usual ERP vulnerabilities. Now, enterprise technology teams need to manage new ERP security risks. The COVID-19 outbreak has created a perfect storm of vulnerability -- a newly remote workforce that's largely out of IT's control and hackers who are aggressively searching for ways to penetrate networks and scam employees. The remote workforce has created an extended attack surface that may pose one of your greatest security threats to date. Add to that the widespread pandemic-provoked user distraction -- and information security teams' rush to manage new issues -- which compounds teleworking security challenges.
As part of keeping the ERP environment secure during the COVID-19 pandemic, technology teams should continue with vulnerability and penetration testing. They should find the flaws and fix them where possible. During this process or through a different evaluation, they can also identify ERP-centric security improvements, including those related to user authentication, vendor management, security logging, monitoring and alerting.
User education during COVID-19
Preventing security breaches also requires that information security teams take steps to ensure the organization's critical ERP assets are not further exposed during this time. That requires user education.
When possible, executive management or HR should communicate ERP security policies and other important security policies. This communication could come in the form of newsletters, email reminders or online staff meetings. That way, they'll get more attention and be better received than if they were originating from IT or security teams as they often do.
Here are three ways to ramp up security awareness in the new remote workforce.
1. Encourage users to review policies
Within the messaging to users, an organizational leader -- whether from executive management or HR -- can highlight the critical parts of company policies and share where users can find them, such as in the employee handbook.
- Acceptable usage, that is, what's expected and what's allowed;
- Authentication, especially related to multifactor controls that are in place;
- Computer acquisition and disposal, especially related to buying and setting up new computers as well as selling or otherwise tossing old ones;
- Data backups, especially related to storing data in secure areas supported by the business and not randomly on personal computers or in consumer-centric file sharing and storage applications in the cloud;
- Email, especially related to comingling personal and business emails;
- Encryption, especially related to full disk encryption on laptops as well as encrypting phones and tablets;
- Passwords, especially related to complexity and password sharing;
- Software installation and usage, that is, what's allowed and what's not; and,
- VPN connectivity, including personal VPN software used for privacy purposes.
Reminding users of the organization's incident response plan -- at least at a high level -- is also a good idea. The designated leader can explain threats and what constitutes an incident. The leader can also encourage users to report anything odd taking place on their systems. These efforts should be part of your existing awareness and training program.
2. Urge users to keep software updated
Whoever is communicating about enterprise security related to COVID-19 repercussions should also encourage employees to update their software patches when prompted. This includes not only Windows and macOS updates but also those involving third-party software such as Adobe Reader, Google Chrome and Zoom. Users should update their corporate-issued computers and their personal devices. They should update their mobile apps and also update phones and tablets with the latest Android and iOS updates when prompted. Leaders should communicate these practices in clear and simple terms, and send periodic friendly reminders to boost the likelihood of user acceptance.
3. Document new policies where needed
There are great online resources where an ERP administrator or information security team member can purchase or download security policy templates. The important thing is to address all the elements of a good security policy and customize them to the organization's specific needs based on the most recent information risk assessment. Of course, leaders will need to share any new policies with users.
These recommendations focus on two things to help protect your ERP environment. First, the security governance committee is revisiting expectations for the organization's users -- what to do and what not to do. Users should already understand most of these requirements. Yet, COVID-19 has disrupted almost all facets of life and reminding users of security best practices is critical. Second, leaders are making users part of the information security team. An effective security program relies on proactive user engagement.