ERP Security Best Practices

ERP system security

ERP security is very valuable and having a compromised system can bring too many unwanted issues and can end the business. Increasing Internet hacks have threatened the need for having a very robust and updated ERP system. This need also means that we have to continuously improve and constantly be aware of situations to improve the entire ERP security architecture.

When it comes to adopting the latest and greatest of security for ERP. The process falls short because businesses expect their software to run smoothly, any stoppers or roadblocks are considered as a downshift for monetary gain and is treated as not important, and these mandated requirements are parked.

Here’s how hackers get in and how we can improve ERP security

Software updates

Outdated and un-updated software pose severe risk. Everyday new software vulnerabilities are discovered in software.

Have frequent software updates as and when they are ready

Data Governance, Open data and API

The initiate towards having an open data setup has opened the doors for other departments to get the needed data through APIs and other data feeds and this data can be used for social engineering to gain access to the source ERP system.

Implement data governance. Data accesses APIs should be fully governed to make sure that what was needed yesterday is still needed today. Make sure that anyone gaining access to this data is not opening the doors further to pass the data and have their own data governance processes in place

Firewalls, Middlewares, 3rd Party Connected Systems

Connected systems are compromised. It usually happens through other systems which might have direct access to the destination ERP system.

Re-audit and update all the systems having access to your systems end-point.

Scrutinize Privileged Accounts

Often called privileged accounts. There is always a superuser, power user, who has access to everything. These users access might be compromised.

Have audits to remove this access, no one should access to all the information, if needed, always provide them for a limited time with an approval process using an enterprise password vault.

Change Sofware delivery and implementation process

New programs, innovation, the open source always bring in too many new things

Have strong PMO governance. Always follow rigid DevOps and agile process which will make sure the changes are minimal and can be easily evaluated. Breakdown all major projects into very smaller chunks so it’s easy to develop, implement, test and maintain.

Adopt two-factor Authentication

Users passwords can be easily compromised. In a corporate world, one user will always have access to multiple systems and in order to remember all the password, most of them keep it either in their excel sheet or in a text document.

Force 2FA(two-factor authentication) this will always ensure that even if a password is comprised, there is always an additional layer of protection.

Scan users computers, share points and other common shared folder locations for possible user id and passwords.

Security Audits

Internal audits are always limited to what they see and what they know.

Have a new set of eyes looking at a bird’s eye view of all your process so it’s easier for an external firm to identify flaws and bring in the experience of finding vulnerabilities and security flaws.

Lingering expired user ids and passwords

There will always be unused passwords which are active in the ERP system which might lead to huge security issues.

Define work processes for requesting access, creation of new users and deletion of expired users

Training

Constantly re-train on the effects of having not having an updated system and the impact it has had on businesses and stress that it is very important for them to secure the data. What some might see has useless; the others might see an opportunity.

Have mandatory training.

4 Eye Principle

Having the same user driving an end to end process of doing a task can lead to risky road

Implement 4 Eye Principle process. All processes should handshake with multiple stake holders.

ERP as such comes with lot of complexities and always lacks competent specialists, secure auditing tools and has huge amount of customizing changes. Adopt role based access controls, segregation of duties and ERP security scanners to search and catch vulnerabilities in ERP system.

Leave a Reply

Your email address will not be published. Required fields are marked *