In a recent conversation we were discussing how secure our ERP system was, considering all the wonderful levels we had in place such as Role-based, Operator and Group Security; including restricted access at company, programs, feature and field level, not to mention electronic signatures, encrypted passwords and workflow controls.
However, while an ERP system can provide all the necessary security controls to ensure that users are only able to access the areas that they are authorised for, the same cannot necessarily be said for the physical storage of the data generated by the ERP.
There are a number of other areas around your ERP system, where security needs to be taken into consideration.
- Data Storage - one of the key areas is the access control that is placed on the location of the data. Permissions should only be granted to users that need it, as well as only to the areas that are needed by the individual.
- Data Access - the use of third party products needs to be looked at closely. What areas of the data does the application need access to, and what securities are built into the application in order to maintain the securities as setup in the ERP.
- Web-based applications - what are the risks involved if the site is compromised? How is the application protected? Is the communication between the client browser and the application secured?
- Password encryption - while passwords may be hashed out when being input into the ERP, are they stored in an encrypted format? Are the passwords sent from the client application to the server in an encrypted format? Has the requirement for strong password, and regular password changes, been enforced?
- Data analysis and reporting - has the same level of security been put on accessing this data as you would be in place in the ERP?
- Network security - how is the organisation connected to the Internet? Is there enough security in place to stop unauthorised access from unknown external users to the network?
While the above areas are all IT related there is also the human factor to consider. One of the single-biggest risks to this data is the company’s very own staff. They have access to most of the information and data at a company. Yet, a concerning amount of companies do not have security procedures in place to remove user names, passwords, and network access when an employee resigns or is dismissed. The human factor is an important element in successfully securing a company. As far as possible, security policies need to be automated.
Another aspect to this is how employees store data. They may use their local drives instead of network storage. They may even be using flash drives to share content. More recently, cloud-based solutions such as Google, SkyDrive, and DropBox are being used to share sensitive information due to its convenience. People have to be educated about the risks inherent to using these devices and platforms.
Then there is the case of ownership, responsibility and decisions. The IT department cannot be responsible for making the final decisions as they may not have a full understanding of the business strategy. In the past, IT owned the technology and the systems. Today, these responsibilities must reside with C-level executives. Security has become an important part of the strategy of a business.
Now, more than ever, strategy, company policies and staff education are vital to protecting intellectual capital. Businesses cannot just rely on the security of their ERP system; they need to take responsibility for their own data security and deciding to what extent they want to impose and enforce security policies and parameters to mitigate risk.