What is an ERP System?
Enterprise resource planning (ERP) is a process used to manage and integrate everyday business-critical functions. An ERP system refers to the type of software that centralizes the core operations, which include finance, procurement, supply chain, human resources, and others. The amount of data compiled within these systems is exponential, making ERP security a necessity. Not only are ERP systems heavily relied upon by many organizations, but they are a gold mine for sensitive information.
ERP systems are leveraged across thousands of businesses, both small and large. They’re also used amongst all different types of industries, such as healthcare, education, hospitality, construction, and many more.
Companies like Oracle, SAP, SYSPRO, Sage, and Microsoft are some of the leaders in the ERP space. ERP technology continues to evolve every day! What was once only available as a client/server system, can now function as a web application or even cloud-based.
For many organizations, ERPs function as the company’s backbone. So, it’s no surprise that keeping these systems protected remains a hot topic for discussion.
Why is ERP Security Important?
As these systems continue to advance and become more powerful, ERP security becomes even more vital and unfortunately – even more complex to manage.
ERP applications process pertinent company information, such as financial records, private customer or employee data, and even proprietary business information. These systems are built upon layers and layers of information, and while ERP security may not be easy, it’s not optional.
A breach of information or a malicious attack on the system can be detrimental. Not only can it impact business-driven operations, but the backlash of exposing PII/PCI data can be a death sentence for corporations. A firm’s reputation can be over in the blink of an eye from an ERP security breach, and spoiler alert – there’s a good chance that breach was caused by an inside job.
ERP Security: Insider vs Outsider Threats
An ERP security attack can occur due to a number of reasons. Hackers can gain access to a company’s internal systems through common tactics like phishing emails, ransomware, and malware. However, external threats aren’t the only thing organizations need to worry about. Some of the largest reported breaches in history were carried out by individuals on the inside. Internal misuse of the systems, unauthorized access levels, fraud, theft of intellectual property, and even human error are some of the breach methods attributed to an insider.
6 ERP Security Tips
While there may not be a one-size-fits-all approach to ERP security, here are six tips to not overlook:
1. System Updates
We get it – system upgrades and applying patches can be tedious. However, one in three breaches is related to unpatched vulnerabilities. When you’re forgoing routine maintenance and upkeep, you’re leaving the door wide open to potential threats. Although it can be a manual effort, creating a structure around deploying, testing, and ensuring no vulnerabilities are detected with new hardware and software is imperative for protecting your network.
2. Conflicting Access – SOD Controls
Segregation of duties is a critical aspect of ERP security. It is the practice of separating access related to a business process for the purposes of limiting the chance of fraud, error, or misuse. Using the example of compensation; one user shouldn’t be able to define a salary grade and confirm payroll. Allowing an individual to access both items runs the risk of that user wrongfully changing a salary and then approving the incorrect payroll amount.
The conflicting access controls vary across departments and can even be organization-specific. It’s best to verify best-practice suggestions and also confirm conflicting SOD controls with your internal audit department. If you’re running Oracle’s PeopleSoft solution, Sentinel Software delivers a full set of best practice controls with the application platform. View our list of sample audit controls to monitor here.
3. *PART ONE* Disable Terminated / Inactive Employee Accounts
This next tip consists of two steps.
A firm should always have a set procedure in place for disabling or locking user accounts following termination or employee leave. Oftentimes, it’s standard within the HR termination process to notify IT in the essence of employee termination or change. Even the most trustworthy ex-employee can be an ERP security threat if they can still access their account. It’s ideal to always lock or disable terminated or inactive employee accounts immediately following their departure.
4. *PART TWO* Revoke Privileges for Terminated / Inactive Employee Accounts
Simply locking or disabling an inactive account is not enough to protect your network. Step two of the process involves removing the roles and privileges attached to the user’s profile, or what is known as deprovisioning. In the event the employee is rehired, not removing the roles could allow the user to gain their old access levels. This ERP security practice of deprovisioning access is equally important when it comes to your temporary employees.
For organizations running PeopleSoft, Sentinel provides an automated solution to save time deprovisioning and remediating access for terminated and inactive user accounts.
5. User Administration
This one may seem apparent, but adequate user administration is an essential component of ERP security. This is an ongoing practice and takes a blend of time and training to ensure it is done correctly. ERP systems are built upon layers of complex data, which can make the job of an administrator a challenge. Adding new users or modifying existing accounts should always be done with care and attention. Taking shortcuts, such as duplicating or cloning when unsure of the underlying privileges, can lead to administering the wrong access.
6. Access Reviews (Management-Level)
Managers also play a vital role in ERP security management. It’s important to regularly conduct access reviews for all members of your team. Leaders should have full visibility into the access levels of their staff in order to identify any discrepancies. Sentinel provides clients with the ability to complete PeopleSoft access reviews online and in real-time. Not only does this simplify the review process, but it can save time and money across multiple departments.