8 ERP security best practices to implement now

On-premises vs. cloud ERP security

Understanding some of the unique factors affecting cloud ERP security versus on-premises ERP is vital. Believing that someone else, such as the SaaS vendor or managed security service provider, is responsible for an application's security if it's hosted in the cloud is a dangerous misconception. This is not the case, and every user, not just technical staff, must understand what's at stake.

Many cloud service providers have security add-ons for ERP monitoring and protection, but the reality is that no outsourced vendor will likely care as much about security as the company whose information is possibly at risk. In addition, the vendor may not understand how to meet a specific organization's requirements for a truly resilient ERP environment.

8 security best practices for ERP systems

Whether an ERP system is on premises or in the cloud, the following best practices can help mitigate common risks.

1. Implement multifactor authentication

Multifactor -- sometimes referred to as two-factor -- authentication (MFA) can be a valuable part of account security. Since most modern ERP systems are web-based, the risk of user credential exposures is often high. This is especially true because of the following factors:

• Personal login credentials are often comingled with business login credentials. If personal passwords are compromised in a data breach or malware infection, exposures can result and full credential pairs -- usernames and passwords -- can be posted online.
• The ERP system may not have intruder lockout enabled to prevent password cracking attacks.

Many ERP systems, both on-premises and cloud-based, support or include MFA as an option. Enable it across the board when possible, ideally via a mobile app or a token and not an SMS text message. Compromised credentials can expose critical business information, and two levels of authentication can mitigate that risk. Most employees are likely accustomed to two-factor authentication by now.

2. Require password best practices

Basic password complexity requirements can go a long way toward protecting user credentials. Some employees may chafe at strong password requirements, but they're necessary in today's world of threats and vulnerabilities.

If objections to password complexity continue, lengthen the amount of time before users must change their passwords -- for example, requiring a password change every six to 12 months rather than every 60 to 90 days, unless a password compromise is suspected.

Security teams should also try to get management on board with strong password policies and educate users on how to pick phrases that are easy to remember yet virtually impossible for an attacker to guess or crack. Make sure that the company is consistent in enforcing password policy across all ERP-related systems in which multiple logins are required.

3. Stay on top of software updates

Vulnerability and patch management are arguably the two most difficult aspects of an information security program. Still, a system missing several-years-old patches can be incredibly easy to compromise. Many companies' networks include workstations and servers that are not properly maintained, and missing software updates can facilitate malware infections and unauthorized remote access.

All it takes for full ERP exposure is a missing OS or application update or even poorly written code that allows for web vulnerabilities, such as a SQL injection. Patching or otherwise resolving code issues periodically and consistently is key.

4. Educate users now and in the future

Often there's an us vs. them feeling in the relationship between users and IT and security staff. Some users may assume technical staff are taking care of everything and that they can do whatever they please, since someone else will have a presumed safety net to catch them if they fall.

The security team should involve users in the security decision-making process and ask them what would work best from their perspective. Make them feel as if they are part of the team rather than outsiders who may make mistakes.

5. Create and build out an incident response plan

Few organizations possess well-documented and fleshed-out incident response plans. Without a proper incident response plan, everyone's scrambling when a security event actually occurs. Think of the who, what, where, when, why and how of responding to security incidents and breaches well in advance of them occurring.

Start with a base incident response template, then build it out and make improvements to the document, processes and tools over time.

6. Test, test and test again

Many organizations have yet to acknowledge the threats and vulnerabilities specifically affecting their ERP environment. From mobile devices to workstations to the ERP application and database itself, weak links are likely creating unnecessary security risks.

Move beyond policies and higher-level checklist audits and perform detailed vulnerability and penetration tests of the environment where possible. Make sure to look in all the right areas for flaws and weaknesses -- all hosts, all software, all people. Another good exercise is threat modeling, which can help identify threats and their origin. Security teams can ask their company's vendor for a copy of the vendor's latest vulnerability and penetration testing report if the security team doesn't have permission to test a cloud-based ERP system.

Reviewing the vendor's SOC 2 (System and Organization Controls 2) audit report should be the minimum action taken. The report will not highlight application-specific vulnerabilities but is a good first step for reviewing the vendor's security practices.

7. Monitor the system

Few companies are proactive about system logging, alerting and monitoring. Why? Because whether it's on premises or in the cloud, it's not easy and it's not cheap.

Many organizations implement their own security operations center and security incident and event management system in-house, and that can work well. However, that strategy can also create more of a burden for IT and security staff.

When in doubt, outsource this function. Cloud vendors may be conducting certain monitoring already or may offer it as an add-on option. Just make sure that someone is doing it and that the security team possesses the necessary visibility into their company's environment to minimize the impact of security incidents.

8. Create a plan for the future

The proven approach to running an effective information security program and supporting a resilient ERP environment, whether on premises or in the cloud, is to follow these steps:

• Know what's there. Be fully aware of all the functional parts of the ERP system, including the location of sensitive information and the various security controls in place to protect it.
• Understand how the system is at risk. Perform appropriate and adequate security testing like in-depth control audits and especially vulnerability and penetration testing. Periodic vulnerability scanning in between formal testing can also provide valuable insight.
• Do something about it. Implement the proper controls to eliminate or at least minimize the impact of identified threats and vulnerabilities. This includes both technical controls and soft controls involving areas such as user education, policies and incident response.

Diagnosis is half the cure, but IT and security teams must take the appropriate steps to fully mitigate the identified risks. Most organizations are deficient in one, if not all three, of the above areas. Unless and until each of these aspects of security has been properly addressed, an ERP environment is at risk.

Big improvements are possible. The most important step is to get started today before a crisis forces action.

Kevin Beaver is an independent information security consultant, writer and professional speaker with Atlanta-based Principle Logic, LLC. With more than 30 years of experience in the industry, Kevin specializes in performing vulnerability and penetration tests as well as virtual CISO consulting work.