New digital technologies, like AI and IoT, are augmenting the business intelligence provided by modern ERP software. While this business intelligence helps organizations grow their bottom line and improve the customer experience, it also presents new data security challenges.
While modern ERP systems can be vulnerable, legacy ERP systems can be even more so. Legacy systems are often highly customized and difficult to upgrade, which is a key reason they are vulnerable.
If you plan to implement new ERP software, it’s important to avoid over-customization, and take the time to understand the security considerations associated with IoT and cloud technologies.
Contents
The Beginner’s Guide to Digital Transformation
What are the 6 secrets to digital transformation that are helping organizations build competitive advantage?
4 Data Security Tips for Your ERP Implementation
How can you be proactive in identifying security risks while still supporting revenue-generating initiatives? Here are four tips for enabling an innovative, but vigilant, ERP implementation team:
1. Evaluate your organization’s culture.
A customer-centric culture promotes data security because it encourages employees to listen to customers’ data privacy concerns and share them with executives.
Let’s say you’re implementing a new CRM system, and customers are expressing privacy concerns. Your ERP implementation team should be the liaison between customer service reps and executives to establish a data management strategy and define security standards.
If this isn’t your current culture, it’s important to develop a change management strategy that promotes a culture where data security is the responsibility of everyone in the organization. After all, ERP software integrates data across the organization, so several departments likely have access to confidential data.
2. Understand the role of the chief information security officer (CISO).
Your CISO can help lead cultural changes by encouraging open communication and prioritizing training and education.
CISOs should regularly host cybersecurity trainings and provide educational materials in a variety of formats multiple times per year. Cybersecurity training is especially important during pre-implementation.
In terms of communication, CISOs should have regular meetings with privacy and legal teams. A foundation of trust makes it easier for CISOs to prove the value of security.
3. Develop strong governance processes.
Your CISO needs complete visibility into the ERP selection process, so they can evaluate new technology from a data security perspective. By developing a vendor management program, CISOs can keep tabs on various ERP vendors and their associated security risks. Using predictive analytics, CISOs can quickly detect when an implemented system violates the organization’s security profile.
Strong governance processes also help ensure legal compliance, especially when it comes to meeting the IT security management standards set by the International Organization for Standardization (ISO).
4. Be vigilant about IoT security.
The internet of things (IoT) plays a major role in ERP implementations for many organizations. IoT improves data insights and operational efficiency, so it’s easy to see why organizations are drawn to it. If you’re considering integrating IoT with your ERP system, there are several security concerns of which to be aware.
IoT devices can be vulnerable to cyberattacks because they communicate with other internet-connected devices. In fact, IoT devices are prime targets for hackers who want access to multiple data sources.
Most organizations aren’t prepared for such attacks and don’t have adequate protections in place. They don’t realize that a device managed by a third party may not have the same level of security as technology hosted on premise.
A lack of due diligence on the part of the IoT provider is another reason hackers target IoT. Hackers know that many IoT providers haven’t taken the time to enhance their security as they were too eager to get their devices to market before competitors.
How can you protect customer data associated with IoT device? One option is implementing an IoT device management platform, such as Amazon Web Services. These platforms enable you to install crucial software updates on all your IoT devices.
Cloud vs. On-premise ERP Security: The Advantages and Disadvantages
It is often a huge headline in the news when an organization’s ERP software is compromised due to a cloud security breach. This negative press was once the motivating factor for organizations to stay on premise, but with the overwhelming advantages of moving to the cloud, businesses are making the move in order to stay competitive.
While moving from an on-premise infrastructure to a cloud-based one shifts some of the responsibility from the organization’s IT department to the cloud service provider (CSP), security remains a focal point for which both parties should bear responsibility.
Understanding who is responsible for which security measures is crucial to keeping your organization’s data safe in the cloud. According to Gartner, “In nearly all cases, it is the user – not the cloud provider – who fails to manage the controls used to protect an organization’s data.”1
This is similar to what we’ve found in our own experience – people, not technology, determine your success whether you’re implementing ERP software or instituting cybersecurity measures.
Below, we’ve outlined the key differences between on-premise and cloud security. Then, we discuss the advantages and disadvantages of each.
Differences Between On-premise and Cloud Security
1. Ownership of Responsibilities
The biggest difference between on-premise and cloud security design is the amount of responsibility that rests on the organization itself. With an on-premise infrastructure, a business is responsible for ERP system security from end to end. They procure the servers where the data will be housed, build and manage the firewalls used to control access to the network and control the ability to query and extract data from the system.
In a cloud world, these security responsibilities are shared between the organization and the cloud service provider (e.g., Amazon Web Services or Microsoft Azure). Depending on what type of service a cloud customer is subscribed to, the security responsibilities of the customer differs:
- Infrastructure as a Service – In the case of infrastructure as a service (IaaS), cloud customers are not responsible for physical elements, such as data centers or the hardware that applications are hosted on. Instead, they need only to manage the provisioning of virtual machines, secure the virtual network and monitor all applications and interfaces within the network.
- Platform as a Service – When it comes to platform as a service (PaaS), the cloud service provider inherits additional security responsibilities. Since the customer is now paying for an entire platform, as opposed to only the cloud infrastructure, the CSP now manages the duties listed for IaaS as well as the provisioning of virtual machines and securing the virtual network. The cloud customer is still responsible for their data, monitoring their interfaces and securing their applications.
- Software as a Service – For software as a service (SaaS), the CSP is responsible for all the previously mentioned duties for IaaS and PaaS, plus they are responsible for the application itself. This makes sense as now the cloud customer is paying to use the CSP’s application hosted on their platform and cloud infrastructure. In this case, the cloud customer is responsible for the security of their data and all interfaces.
In all cases, it is the sole responsibility of the customer to ensure their specific security requirements are being met. If your organization is planning a move to the cloud, it’s helpful to list all your security requirements. When meeting with potential CSPs, give them the list of your requirements, and let them vet how their service can meet your requirements.
It’s important to note that even though many of the responsibilities will lay with the CSP, you must follow the right processes and procedures and hire knowledgeable personnel in order to maintain the integrity of a secure cloud.
To that end, designing and documenting processes around ERP security can help you prepare your IT staff for new roles and responsibilities. A strong business process reengineering methodology is essential when defining new business processes.
2. Points of Access
Another key difference between on-premise security and cloud security is the means by which the network is accessed. On-premise ERP systems only exist on the devices they are installed on. When business users need to access their company data in an on-premise environment, they need to be physically in the office (on the company’s network).
For example, an employee could have SAP installed on their work laptop, allowing them to view company data from that device (on the company network, of course). The same employee could also have a personal laptop that does not have SAP installed. This makes controlling access to applications and data simple, as there is only a single access point.
While this may pose challenges for employees working remotely, they can always use a virtual private network (VPN) to log into their in-office device. VPNs are secure because they require a security key or other means of identity management
In a cloud-based environment, employees can access company applications via a web browser. This means that any device with internet access becomes an entry point to business-critical data.
Cloud-based environments allow the use of application program interfaces (APIs). While APIs can be used with applications running on premise, their use didn’t become normalized until cloud service (and software) providers began pre-building them into their platforms.
Now, interfacing with third party software applications is as easy as exposing the appropriate API and allowing third party access to your environment. This ease of interfacing has its benefits but adds an additional layer of complexity when it comes to security design.
When utilizing an API to create, read, update or delete data in another system, it is crucial that proper planning takes place. Not all permissions are typically needed by an API to perform its designated function. Identifying proper permissions and their repercussions is just as important. We always advise against taking the easy road and just giving full permissions to an API.
When creating the API, you should investigate the security of the system you are interfacing with. One question to ask when interfacing is this: “If this system security is breached how can it affect our data?” Developing your connector or API with this in mind can save you headaches and potential lawsuits down the road.
The Advantages and Disadvantages of On-premise vs. Cloud Security
Whether you have an on-premise infrastructure or are already in the cloud, there are some strong advantages to both in terms of security:
Advantages of Cloud Security
A huge advantage when it comes to security in the cloud is the accessibility of security tools built by the cloud service provider or ERP vendor. Usually, for an additional fee, CSPs like Amazon, Microsoft and Google offer built-in security tools that help your IT department identify and remediate network vulnerabilities and provide suggestions on how to improve your security design.
Cloud service providers have a lot riding on the security of your data – namely, their reputation. Even if a data breach is the fault of a cloud customer, the reputation of the CSP also takes a hit. Because of this, CSPs have heavily invested in machine learning to help identify weak spots in your system and notify you immediately in case of an attack.
Another benefit of security in the cloud is the level of automation that can be achieved leveraging APIs. These APIs make it simple to orchestrate incoming and outgoing messages between your company’s network and third parties, ensuring proper authentication methods are in place each step of the way.
Disadvantages of Cloud Security
While the use of APIs can be considered an advantage in terms of automation, it can also be a disadvantage when looking at the amount of access points to manage. If you have several third parties automatically accessing your environment, it can be difficult to monitor all the inbound and outbound traffic. In the case of a breach, it is even more problematic to find out where your security issues lie.
Advantages of On-premise Security
An obvious advantage of an on-premise security design is the clarity of responsibilities and ownership around security requirements. With a physical data center, it’s easy to see that access to the facility must be protected by the customer. The ownership of security requirements falls 100-percent on the organization.
If you prepare your people and processes, your on-premise security will be strong. It’s not only important to prepare your IT department but your end users, as well. While end users have a very different set of security responsibilities, their role is no less integral.
Some organizations develop an organizational change management plan to prepare employees for the security considerations of a new ERP system.
Disadvantages of On-premise Security
With the ownership of the data center resting solely on the business, the amount of security responsibilities given to your IT department is more than double that of cloud-based security.
Additionally, there is usually little to no automation in terms of communicating with third parties. This means your IT department must securely build and manage a channel of communication each time a new vendor is added to your ecosystem.
Lastly, as if your IT department doesn’t have enough on its plate, most security tools made for on-premise environments are outdated. With new ways for cybercriminals to access sensitive company data, security tools must constantly evolve to keep up with new threats. When the defense is no match for the threat, IT professionals must be even more diligent in monitoring your network’s security.
The most common form of attack on company networks is not so much a virus or brute force hacking. It is social engineering and elevated permissions granted to individuals or groups not requiring full access. This is the result of not having a solidified IT plan and documentation.
You can address these issues by facilitating employee training regarding attackers’ methods and tactics. For additional vigilance, you should ask your in-house IT security professional or an external IT auditing firm to audit and refine non-essential security permissions.
Why Cybersecurity Requires a Change Management Plan
Hackers know that employees are the quickest and easiest route to company data. However, employees can’t be vigilant if they don’t know what to look for. It’s your responsibility to prepare them for the inevitable phishing scam, ransomware attack or public Wi-Fi hack.
1. The “Old Ways” Are Easy
Imagine a world where you never need to change your passwords and you’re allowed to “work from home” at your nearest coffee shop. This is the world employees are leaving behind when they adopt new cybersecurity practices. This loss shouldn’t be treated lightly. Convincing employees to change familiar patterns will require compelling reasons. Your organization should communicate the importance of cybersecurity and emphasize what’s at stake in the event of a security breach.
2. Cybersecurity is a Habit
3. Access Points are Numerous
Developing a Change Management Plan for Cybersecurity
An ERP implementation shouldn’t be the only time your organization considers improving its cybersecurity. Cybersecurity is a continuous battle that requires a long-term change management plan.
You can implement all the cybersecurity control frameworks you want, but your processes will become ineffective as soon as an employee clicks a phishing link. That’s why you need more than technical frameworks – you need clearly communicated best practices and recurrent training.
Your organization should gain executive support for a cybersecurity change management plan, so you can implement training and communication initiatives that result in long-term behavior changes.
Communicating with employees about cybersecurity is like communicating with employees about an ERP implementation. Both require strong leadership that fosters trust and two-way communication. Both entail precise timing and personalization. Both necessitate a change management team with defined roles and responsibilities.
How to Educate Employees About Cybersecurity
1. Communicate your organization’s security goals.
This ensures that employees understand the reasoning behind new policies and procedures. Put security risk in a context that directly relates to employees by explaining that a security breach affects not just data but the organization’s reputation and, ultimately, its ability to achieve business goals.
2. Encourage employees to attend security training sessions.
In addition to requring that employees attend training sessions, you should ask employees to sign confidentiality agreements. Similar to general ERP training, security training should be ongoing and supported by strong buy-in from executives.
3. Share news about security breaches at other companies.
Use this as a teaching tool. You may also choose to confidentially share general information about attempted attacks on their own ERP system. While stories can be strong motivators, be careful with how much detail you share because employees themselves can use this information to launch copycat attacks internally.
4. Launch simulated phishing attacks.
This tests employees’ current level of security knowledge and to grabs their attention. After assessing employees’ responses, explain how they should respond to similar attacks.
The Value of ERP Data Security
It’s not easy to prove the ROI of ERP data security. Justifying the investment requires an understanding of the threat landscape, attack probability and potential losses. With this information, you or your CISO can convince executives that ongoing cybersecurity is necessary to support the organization’s goals.
Once you have buy-in, it’s important to hire ERP consultants to help you develop a digital strategy that prevents hackers from accessing the most vital parts of your ERP system. While ERP vendors can provide ongoing maintenance and support, your best bet for ensuring data security is hiring an independent ERP consultant who recognizes the importance of contingency planning and developing a solid digital strategy.
To speak with our experts about ERP data security, request a free consultation below.
- Gartner, Is the Cloud Secure?, https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/, March 2018
