Whilst effectively sharing data across a single system with ERP software is easier and more efficient, this comes with a risk of making sure this one system is kept secure; you know what they say about putting all your eggs in one basket. This is especially important as ERP systems are used in sensitive industries including defence, intelligence, medicine and finance. Read on to learn about the top risks of security in ERP, and potential solutions to learn how to keep ERP secure.
Why Aren’t All ERP Systems Adequately Secure?
There are two main concerns surrounding security for ERP. Firstly, it’s difficult to securely configure an entire ERP system considering the myriad products that are bought to integrate with it. These include report generators, data warehouses, learning management systems, imaging systems, and portals. Secondly, there are huge overhead expenses of managing access and authorisation roles for both the ERP system and the third-party software integrated with the ERP.
ERP software consists of three categories of components, and security problems can exist in each one. These categories are the network layer, application layer, and presentation layer, which includes business processes, internal interfaces, and database.
The network layer includes security problems pertaining to users interacting with the ERP, or business processes in different places interacting with each other. The presentation layer consists of the graphical user interface (GUI), browsers, and PCs. The transmission of GUI packets is impossible to restrict, so security may have to be provided through playing a CITRIX server between the user and the ERP system. The application layer requires security to protect the application servers that process requests.
Despite the wealth of security issues that can plague an ERP system, organisations frequently don’t update their systems anywhere near regularly enough. Running an outdated system not only causes frustration from being unable to integrate with newer products, and confronts you with more crashes and bugs, but it compromises your security as well. If you don’t update your security software, then your warranty may become void and your system will not actually be protected. If your ERP system is not the most recent version, then your vulnerabilities may well be more widely known, thereby leaving your data and system more defenceless against hackers.
Industries contain security standards with which systems are supposed to comply. For example, the credit card industry requires organisations to conform to the Payment Card Industry’s Data Security Standard (PCI DSS) in order to accept credit cards. This prevents systems from storing customer credit card numbers in any way in a non-heavily encrypted format. These numbers do not include the three or four-digit security code. The security standard also includes back-end requirements including having a robust firewall, secure passwords, no ‘back doors’, and rigorous controls on data and backups. However, many legacy ERP solutions don’t comply with the PCI DSS.
Inadequate functionality in an ERP system can also result in security risks. If your reporting capabilities aren’t up to scratch, then you may be forced to store your data externally. This is because being unable to access and analyse data with the tools that the ERP provides can persuade a user to seek out simpler alternatives, such as storing the data in Microsoft Excel and Access. The extent and location of these systems are quite easy to lose track of, and are separate from a company’s regular system backups. As these systems are reliant on specific users, if one of these users were to leave or make an error, then data could be permanently lost.
The costs needed to keep ERP secure means that organisations often neglect to implement fine-grained role access. This means that all users can see data that should otherwise be restricted, which can lead to opportunities for data misuse and violations of data privacy.
How to Keep ERP Secure
To stop users from creating their own external systems to store critical data, you can establish a directory on a server that is backed up regularly, and make it obligatory that these ‘user systems’ are stored there.
For a system such as a shared ERP system, passwords should be changed in response to an event such as a security breach. This minimises the amount of time a stolen password can be used. It may be tempting to force users to change their password regularly, but imposing frequent password changes has its own associated risks, such as users choosing weak passwords, writing down passwords, and switching back and forth between favourite passwords.
Despite the costs involved, it’s a good investment to set up separate role access within the ERP system. By limiting the data users can see to what’s only relevant to their own role, you reduce the risk of them exploiting the data to the detriment of your organisation.
A good ERP should be able to log all of your processes and transactions. Data history allows you to learn from mistakes and prevent future ones.
Encryption allows you to securely protect sensitive data, including corporate secrets and classified and personal information. Microsoft and Oracle databases can provide transparent data encryption (TDE), which encrypts data at file level. It encrypts databases both on the hard drive and on back up media. Organisations often use TDE to comply with standards such as PCI DSS, which entail the protection of data at rest.
Selecting the right ERP for your business is difficult enough without also ensuring that the system is adequately secure. There are plenty of systems available, each with different levels of security, so it may take you a significant amount of time, money and effort to find the solution to suit your needs.
With our team of qualified experts, Software Advisory Service can help you. We offer a service providing non-chargeable buying advice, and can offer a shortlist of the most appropriate software vendors for you, depending on your business’s requests. Just click here and fill in the form and we will get back to you with the assistance you need.