Investing in an ERP is vital for a business in the digital world. However, increased digitalisation gives rise to the threat of cyber-attacks, especially in the context of cyberspace, which is considered “the largest unregulated and uncontrolled domain in the history of mankind”. The role of business data protection is now more urgent and imperative than ever.
After years of development, ERP software has become more complex and flexible with various functions integrated and even the capability to connect with more devices, which has increased the number of security risks. Without proper security protection, the ERP system may be prone to threats of cyber criminals, putting your company’s confidential information such as financial records, product/ customer’s sensitive information, human resource data in the risk of being leaked out or becoming lost.
In this article, we will address the most common ERP security concerns as well as the suggested precautions that SMEs should know about to fully protect your business.
First and foremost, let’s take a brief look at some cyber threats’ facts and figures.
In recent years, data breaches and hacks have increased in scale and severity, and caused significant losses to many organizations. Below are some of the reported statistics on cybercrimes:
- In 2017, almost 40 percent of the 146 cyber attacks reported to the Singapore Computer Emergency Response Team (SingCERT) involved businesses, particularly SMEs, and most of the cases involved phishing attacks and ransomware. (the CSA of Singapore)
- In July this year, it was reported that hackers stole the information of over 1.5 million Singhealth patients. This is considered as Singapore’s worst cyber-attack. (The Straits Times)
- 41 percent of companies have over 1,000 sensitive files including credit card numbers and health records left unprotected. (Varonis)
- The average cost of a malware attack on a company is S$3.3 million (Accenture)
Many SMEs underestimated the importance of security protection and neglected allocating enough resources/ setting up cybersecurity best practices when the cyber incidents occurred.
Here are the most common solutions for business security issues that you should be attentive about:
- Update ERP software frequently
Most software updates are delayed or ignored because users do not see the need to upgrade. Although most software providers have continuously improved their ERP systems for better features and security enhancement, 66% of companies are not running on the most current version of their ERP system. Without the required updates, ERP system servers and browsers may not receive the maximum protection for their system, which makes their system susceptible to hackers.
SOLUTION: Check with your ERP vendors for monthly system updates and make sure that your company is using the latest version.
- Assign an ERP System Admin
SMEs usually do not have specialised IT or system administration teams and as a result, the responsibility to track and investigate suspicious activity in the system is shared among all users. It is possible that suspicious activities may not be identified or tracked until your data is lost.
SOLUTION: Assign your IT team (if any) or a person-in-charge to keep track of system logs, identify suspicious threats and make timely announcements. You can consult with your ERP vendor for training as well as to come up with a suitable arrangement.
- Develop an Effective Recovery Plan
Most companies have a recovery plan to back up important data. However, how often is it checked for validity and feasibility? Having a clear plan of action to retrieve business data is crucial to prevent operational interruptions. Potential threats should be listed out to be analyzed so that possible solutions can be taken into account. For instance, if your server is attacked and shut down, will you have a transition plan to back up?
SOLUTION: Discuss with your ERP provider (and IT team) which understands your company’s requirements to develop an ultimate recovery plan.
- Create a Strong Protection against Ransomware/ Malware
According to Symantec’s 2018 Internet Security Threat Report (ISTR), 1 in 13 web requests lead to malware. In 2017, about 23,000 phishing URLs with a Singapore-link were discovered, with the intention to steal personal information including passwords and credit card details. (Cyber Security Agency of Singapore, CSA) Your ERP users may unknowingly open malicious attachments or click on dangerous advertising links, exposing your system to harmful software.
– Check for frequent updates and guidelines from CSA to be aware of new threats and make timely precautions.
– Conduct regular trainings on internet security so that all staff are aware of basic security protection practices, such as creating strong passwords and identifying suspicious mails/ URLs.
- Reduce Internal Human Errors
While most of the limelight is focused on external threats, sometimes, the risk may come from your organisation internally. SMEs may have more lenient regulations than MNCs, such as allowing regular employees to access the whole system database, or use their mobile devices at work with no security restrictions. Consequently, your staff may share sensitive data through their devices unintentionally or provide chances for hackers to reach your system more easily.
– Set up regular password changes for your staff.
– Create organisational policies to avoid using personal devices in the working hours.
– Follow the Segregation of Duties framework, which ensures no employee has the right to both create and approve a transaction.
– Review user rights and permissions regularly to ensure that company data is protected and only available for staff who need it.
- Avoid the Loss of Data Control
A common scenario that businesses face is the lack of a management software functionality for reporting or analyzing data. Instead of having data analyzed right within your online system, users may have to use tools such as Excel or Access to process the extracted data. As a result, some of your critical information is stored outside the main system, which is challenging to control and locate. Without a consolidated management system, it is more difficult to conduct system backups. Additionally, your business data will be more vulnerable to cyber threats as Microsoft Office formats, such as Word, PowerPoint, and Excel, make up the most prevalent group of malicious file extensions at 38 percent of the total. (Cisco 2018 Annual Cyber Security Report)
SOLUTION: Discuss with your ERP vendor for an integration option to better control and manage data. If there is no better option, you should be open to exploring other software providers who offer superior ERP features for your business.
It is important to be aware of the probability and severity of cyber threats. However, instead of being afraid to acquire advanced technology due to security threats, a wiser option is to select a good ERP solution and take proactive safeguards to take your business to a higher level in the Information Age.
We will always suggest you consult with ERP experts and research software providers carefully beforehand. An experienced ERP provider can help you to foresee the security issues, propose precautionary measures and handle any incidents swiftly. Besides that, we also suggest you keep yourself up-to-date with regards to worldwide ERP system developments and cybersecurity news.
If you are keen to find out more, drop us a message and our knowledgeable Synergix ERP advisor will gladly answer your queries about ERP software.