Cyber security has never been more important. A recent report by the Department for Digital, Culture, Media and Sport (DCMS) found that 43% of UK businesses had suffered a breach in the last 12 months. With the update to data privacy legislation, the General Data Protection Regular (GDPR) looming as well, leaving personal data vulnerable to hacking or other breaches has potentially significant consequences. A data breach under the GDPR could land your business with a fine of 20 million euro or 4% of annual turnover (whichever is greater).
What does this have to do with ERP software? Well, not only could hackers wreak havoc with crucial production and sales data, but chances are you will be holding personal data about customers too. This is all without mentioning, of course, the ever-present threat of financial and management data getting into the wrong hands internally too. This means that the security of your ERP system and the infrastructure supporting it is of the utmost importance.
With that in mind, here are 4 common risks to ERP security and some guidance on how to address them.
Unsupported – leaves you at risk. You don’t have access to critical security patches. Outdated leaves you open and vulnerable to hackers and other internet malcontents. The more established your software, the more likely someone has uncovered a vulnerability too. It is worth reviewing your current ERP software implementation, when it was last updated, the support available from the vendor and whether you are still eligible for security patches. If it has been a number of years since it was last updated, and you are unable to access extended support, it is worth considering upgrading, not least to ensure key business data is protected.
A practice still common in many businesses is using multiple tools and software to carry out core business processes. This can lead to unauthorised systems outside of the control and protection of the ERP system hosting sensitive data. It is particularly common for businesses to hold data on the ERP system but run reports on a tool like Excel, possibly down to more familiarity with a particular tool, or maybe lack of functionality/capability in the ERP software. Once the data has been pulled from the ERP software and exported in this manner, there is no telling where it might end up, potentially being stored in programs that are not maintained or secured. If you suspect this is the case within your business, review the offending business processes and mapping to the ERP system. Where possible, find a way to bring everything into one tool which you can control. Then ensure that staff are adequately trained and made aware of the process to avoid any more unauthorised data exports.
From a user perspective, it is the quickest way to get going – enter your password, and you are logged in to the ERP system and ready to crack on with a day’s work. But considering that password hacking/cracking is one of the easiest forms of hacking (if you Google “password hacking” the top result is an article literally telling you how to do it ), is this really a strong enough barrier to your business’ most important data? The fact that someone can enter a string of characters and instantly have access to potentially sensitive and definitely confidential data is likely to keep any network manager awake at night. If this is you, it might be time to consider two-factor authentication (2FA) for your ERP system, adding that extra layer of security. Common 2FA methods include requiring entry of an additional code – sent to a phone number or email address – or a physical token, such as a security fob or smart card.
Failure to lockdown access rights
This is probably one of the most common risks businesses face – and that is losing track of who has access to what internally. While many businesses will use things like group policy and Active Directory to manage rights and access levels, if new people come into the business, or people leave, get promoted, move between departments – individuals can slip through the cracks. It is very important to consider who needs access to what, and carefully manage and monitor the technological barriers and solutions that keep this access in place. It is a good idea to make this part of your on-boarding process – when you get word of a new-starter, determine exactly which parts of the ERP system they will need and should have access. Similarly, carefully maintain your off-boarding process – ensure the user’s rights are adequately revoked from all systems.
It’s all about process
We hope that has come across in this post – that a lot of the measures you should put in place to ensure your ERP system is secure are not just about tools, but about process. Your software is only as secure as your processes – lack of training, human error, and negligence are just as much of a threat as any Russian hacker. If you would like further guidance and advice on how to ensure both your processes and your ERP system are secure, get in touch.