Even after new ERP software goes live, the project team’s job is not over. Although the ERP implementation may be complete, the task of system maintenance has just begun. And with the increasing prevalence of data breaches, ERP maintenance is more important now than it has ever been.
While ERP maintenance can help detect and prevent data breaches, maintenance is not the only security measure organizations can take to protect their data. Organizations typically rely on their ERP vendor and IT department to perform system maintenance and augment security and while that’s all well and good, there is a non-technical side of security that can actually be sourced to end-users. To grasp this non-technical side of security, organizations should begin by understanding their threat landscape in terms of who rather than what.
The human side of data breaches is often overlooked by organizations that focus on developing sophisticated technical protections for their ERP systems. These organizations forget that – while technical in nature – cyber-attacks are also psychological in that they are carried out by real human beings with insight into the human psyche and knowledge of what it takes to make someone click on a link that will compromise security. These organizations forget that their best defense against cleverly planned cyber-attacks is equal (or perhaps greater) human cleverness.
According to The 2013 Data Breach Investigations Report, it only takes three emails from a hacker to convince more than 50% of targets to click on a link. While a click is not an automatic gateway to internal data, the initial goal of every phishing scheme is simply to get a user to take the bait. The first phase of an ERP system data breach is indeed psychological.
Similarly, organizations’ first layer of defense should also be psychological. Organizations can strengthen their defenses by leveraging the common sense and vigilance of employees through security training. End-users need to know how to detect security breaches and how to respond when they notice anything strange, whether it’s slow ERP system performance or a suspicious email (even ostensibly one from a friend, ERP vendor or consultant) asking for passwords or other sensitive information. The best defense against a data breach is an employee who is quick to notice and report strange occurrences to the IT department and management.
To detect and prevent data breaches, organizations should not and cannot rely solely on ERP maintenance. An organizational change management strategy that includes end-user security training can offer just as much, if not more, protection against the schemes of hackers.
To learn more, visit our ERP Training page and read our other recent blog post on the topic, Using Security Training to Protect Your ERP System.