In the field of ERP solutions, data security has been becoming an increasing area of concern.
With the proliferation of online systems, the threat of hackers accessing and making public your company’s private information is a genuine concern. Not only is it a source of public embarrassment, but your company is faced with the potential liability of an excellent or detrimental court case. Tactics include sending phishing emails, ransomware, keyloggers, fake WAPs, baits and switches, eavesdropping, Trojan horses, and many more. Faced with the myriad of methods, how does one protect their company’s reputation from data breaches and other embarrassing and damaging hacker attacks?
Recommendations:
1. Select your ERP vendor and system carefully
When you select an ERP vendor, ask them about what security policies are in place.
Can they give you SSL (Secure Sockets Layer) Certification and 2FA (2 Factor Authentication) Logins for your web portal? Can they provide a firewall? Will they do a Vulnerability Assessment and Penetration Testing? What are their procedures for data migration? Can they ensure that data will not be compromised during the migration? Will data be encrypted when stored? Will the data on the backup site also be encrypted? What is their history of data security with projects?
If you intend for your data to be hosted, we highly recommend that you host it on a secure platform with globally and locally recognised security compliance. Of course, the cost of securing data will increase the cost of the system, so you need to decide how much is a data breach will cost your company and match that with data security systems and protocols.
2. Open Source or Closed Source Software
Another thing you must decide is whether to use open source or closed source software. In closed source software, the software’s source code is not publicly available. Examples of this are SAP, Microsoft and Oracle.
In open-source software, the source code is made publicly available. Traditionally, it was thought that closed source software was generally safer from data breaches because the source code has not been made public. However, open-source software has a more significant community of users and programmers who find faults and can put up patches which, over time, makes the software more secure.
Right now, I believe that both closed and open-source software have a decent level of data security that can be used for the modern enterprise. Still, it pays to go with a reputable name, and if you plan to use open-source software, I would recommend one with a long history, so weak points and flaws can be ironed out.
3. Define User Access Properly
Software aside, your data security can be sabotaged by poorly defined user access rights. Decide who should get which right. If your policy is too loose, work with your software vendor to tighten it up.
Data access rights should also be divided into at least three categories; read-only, export-permitted and full access (including editing). Give only what is needed and always make sure the log is recording.
4. Implementing the System
When implementing a system, your company is vulnerable to data breaches. To give you a metaphor, this like a hermit crab moving from one smaller shell to a larger, better one. Moving is a moment of vulnerability where the crab (your data) is essentially shell-less.
We recommend that you have not only an NDA (Non-Disclosure Agreement) with your vendor- but you also monitor the data migration process to ensure that once data has been exported and migrated into the new system, the exported CSV or Excel file is deleted and the recycle bin emptied. We also recommend that your UAT data should not be stored in your vendor’s server but erased to eliminate the possibility of data exposure to other parties.
5. Define Company Data Ground Rules
Set precise data handling ground rules and make sure your company’s staff are aware and compliant with these rules. Rules can be simple such as ‘Don’t send data via email without first putting password encryption on the file. The password should be relayed with the recipient via another medium such as over the phone, etc.’.
You can also have reminders to reset staffs’ login credentials regularly with strong passwords to lower the risk of an overall security breach. Every company is different, so you have to decide with your management how you would like to set your ground rules, so your data is safe, but productivity doesn’t grind to a halt.
6. Review Systems and Audit
Make it a regular habit to review your company’s system in a regular audit. Doing this can help you find loopholes in your security and getting a security consultant can help you see weaknesses you never imagined. You can also, develop queries to help you monitor the ERP data usage and set alerts for anomalies.
7. Update your software regularly
People often do not see the need to update their software, so most software updates are ignored. Many companies are not using the latest version of their ERP system. Without these updates, companies are not receiving the maximum protection for their data which leaves them susceptible to hacking.
By John Ma
Software Consultant and Account Manager at Tigernix
