Most companies understand the consequences of poorly planned ERP implementations – cost overruns, low benefits realization, and so forth. However, an often-overlooked consequence is the occurrence of an unmitigated security breach.
If you botch any aspect of ERP implementation – whether it be the technology, process, people, or data aspect – this can have a direct impact on the security of your ERP system.
Take Target, for instance. In 2013, hackers accessed around 40 million credit and debit card accounts of Target customers, and the personal information of around 70 million people was compromised.
This unprecedented data leak resulted from flaws in Target’s ERP security. An employee of a third-party vendor fell for a phishing attack, and the hackers were able to use the employee’s credentials to access Target’s system.
The security breach had significant consequences. After news of the breach became public, the company’s profits fell by 46%, and Target paid hundreds of millions of dollars to deal with the incident. It faced bank reimbursement demands, regulatory fines, customer service costs, and legal fees. Target lost consumer trust, and the CIO resigned.
Organizations of any size are at risk of similar security breaches if they rush through their ERP implementation and cut corners.
We have multiple software expert witnesses available for provision of reports, depositions, and testimonies.
5 Tips for Avoiding an ERP Security Breach
1. Plan for Robust Security Measures
ERP security starts before ERP implementation. Most of the top ERP systems include controls in their configuration options.
You should adapt these controls to fit your business operations. If you don’t, this could lead to mistakes such as:
• Turning off controls
• Limiting controls
• Bypassing controls
• Implementing unnecessary and obstructive controls
Your ERP implementation strategy should include the expectation of an effective security protocol. A realistic timeline with time for testing sets your team up for success.
2. Define Your ERP Security Strategy
A well-defined ERP security strategy is essential for minimizing risk. Good governance is a best practice for organizations of all sizes. Governance includes:
• Knowing exactly how the ERP system supports your business objectives
• Writing clear policies that document how to get the best business outcomes using the ERP
• Enforcing ERP security policies
Documentation should clearly define the separation of roles and responsibilities for ERP security. This delineation occurs between your business and your ERP provider. It also occurs between departments in your organization.
Mapping your business processes for each department, or even each user, is time-consuming. The ERP implementation team may be tempted to avoid this step. However, it’s essential for determining the best security controls.
3. Segregate and Protect Sensitive Customer Data
Ask any of our computer software experts, and they will tell you that the best way to reduce the risk of a data leak is by carefully controlling access to sensitive data.
Effective governance tells you what information is most at-risk and who needs access. You can use data segregation to separate certain sets of data. Then you can apply different access policies to them.
Implementing data segregation at the data access level lowers the risk of compromise as fewer systems or applications have access.
Principle of Least Privilege
Data segregation lets you apply the principle of least privilege. This is the idea that users should only have access to the privileges necessary to do their jobs. For example, a user who enters database information doesn’t need root access privileges.
Role-based access with granular access controls is essential. Following this principle reduces the risk of unauthorized access through a low-level account. You’re more likely to stop a hacking attack from spreading to the entire system.
Implementing the principle of least privilege takes time and attention. You need to check all existing accounts, processes, and programs and be sure they only have the basic ERP permissions to do their jobs.
When employees change jobs within the organization, their access permissions need reviewing. You can use one-time credentials for employees who occasionally need higher privileges.
Deactivating system access when employees leave the organization is also critical.
4. Conduct Regular Security Audits
ERP security controls are complex. Regular audits can help identify weaknesses in your system. Periodic reviews should include:
• Your internal processes
• The security posture of your ERP vendor
• Third-party risks
A security audit looks for potential issues in your ERP controls, such as:
• Conflicts in role-level segregation of duties
• Control weaknesses
• Vulnerabilities in application configurations
Reviewing your ERP vendor’s controls tells you how the vendor is protecting your data.
The risk of unauthorized access to your ERP from third parties can be significant. Considerations for suppliers and service providers include:
• The level of access third parties have to your ERP system
• Internal controls to monitor third-party access
• Enforcement of data protection procedures
A comprehensive audit can be time-consuming. An external auditing team allows your IT department to focus on other tasks.
5. Schedule Ongoing Security Training
Effective security training is necessary to help your employees recognize and resist cyberattacks. You may need to start with a skills-gap analysis to determine where skills and knowledge are lacking.
When it comes to training, simulations should cover a variety of scenarios like phishing, ransomware, and social engineering and they should represent situations your employees will encounter in their daily work.
Avoid ERP Security Issues With the Right Implementation Strategy
Our electronic software security breaches expert witnesses have seen a number of cases involving ERP security breaches. Our consultants have worked on these cases with our technology experts, so they bring a unique perspective to ERP security.
Panorama Consulting Group can help you design an effective ERP security plan, so contact us below for a free consultation.