No less than 14 retailers were hacked between January 2017 and April 2018 and had information stolen. Sears, Kmart, Delta, Best Buy, Panera Bread, and Whole Foods, just to name a few and that’s just retailers. It doesn’t include financial groups such as Equifax or even web service providers like Yahoo.
Anyone in IT consulting can tell you: Cybersecurity is a big deal in the modern world and, if your ERP systems are not protected, you’re putting more than just your company at risk. It’s your job to keep your customers and their data safe, too.
How Secure is My ERP?
ERP vendors have included high-quality security options in their applications, but the onus for security still falls on the company that installs the ERP.
Each company needs to spend time auditing and supplementing vendor security to prevent malicious cyber-attacks. Evaluate your current position regarding ERP application threats. Do you have a complete inventory of all the devices that currently use the network—smartphones, laptops, thumb drives, and routers? Does your ERP system have vulnerabilities that will enable cyber attackers to take full control of the business?
Put That ERP under Lock and Key
The good news is that there are several steps you can take to keep your ERP secure. Even if you outsource your ERP technology, there are still internal measures that you should take to keep your information safe.
- Manage who has administrative access. Many organizations have addressed security with Segregation of Duties (SoD) which controls access and sets strict user authorizations. This is a positive step; however, it may create a false sense of security, as these controls were not designed to prevent or detect cyber-attacks.
- Educate employees on best practices. Employees are the weakest link in system security. Don’t assume that everyone understands; let them know the importance of security and the steps they should take to mitigate risk.
- Create stronger passwords. Password prediction is one of the most common and avoidable sources of cyber security attacks. All system passwords—including email—should be long, require multiple types of characters, and be changed regularly.
- Use SPAM filters. These filters should recognize and prevent emails from suspicious sources from ever reaching an employee’s inbox. Use browser add-ons and extensions that prevent users from clicking on malicious links.
- Use private clouds. Private clouds may cost more, but they have fewer entry points and more stringent safety measures in place. Private cloud providers are in a better position to monitor accounts, enabling them to preemptively deflect attacks and minimize threat impact.
- Secure your data transfer channels. All the data you transfer back and forth to the cloud travels through the internet, which is where it is most vulnerable. Make sure you select secure data transfer channels and encrypt any data before it is sent out. Use an SSL Certificate to secure all traffic to and from your website. This protects information being sent to and from your web server from eavesdroppers.
- Require encryption for employees who are telecommuting. A new threat introduced by the BYOD (bring your own device) trend is apps on employees’ mobile devices that can access address books and export them to sites on the internet, exposing the contacts to attackers who use them for spear phishing. Install mobile security software on user devices that scans apps and prevents users from accessing the corporate networks if they have privacy-leaking apps.
- Use a securely hosted payment page. This is the best practice for reducing your risk to your customers’ credit card data. Use a payment gateway provider that has up-to-date PCI DSS and ISO 27001 certifications from independent auditors.
- Know your software interfaces. Application programming interfaces (APIs) are what you use to access ERP software applications on the cloud. Evaluate your existing API to determine if it has any vulnerabilities and investigate ways to strengthen it.
- Apply vendor security patches promptly. Regularly update your antivirus and anti-malware software. If you outsource your ERP to a third party, the vendor is responsible for updates. However, SaaS ERP can be breached through a network on site that hasn’t been updated. The same goes with the applications, software, and on-site operating systems that employees use to access ERP software. This includes website hosting, shopping cart software, blogs, and content management software.
- Limit the effect of an attack. Have the right processes and solutions in place to diminish both the threat and the impact.
- Join forces. Security is a problem that affects all business. Openly discuss security measures and expose them to peer review.
How well are you performing at keeping your ERP systems safe? Have you implemented all these measures in your organization? If not, take steps now to secure your business.
For more than fifteen years, IT consulting firm PositiveVision has helped companies of all sizes implement ERP software and set up and maintain security. If you need a little peace of mind to go along with your ERP, contact us today and let us help you find and fill the holes in your cybersecurity.