by Debbie Wilson | February 16, 2019 | Comments Off on “Being Basic Isn’t All Bad” by Patrick Long
The cloud is a great piece of technology: it cuts down on infrastructure and allows people to work from almost anywhere. ERP systems are moving to the SaaS and IaaS models due to the ease of managing a server in the cloud (who wants to do the physical upkeep when you can have someone else do it?). But ERP systems hold some of, if not the most, valuable information that a company possesses. And depending on the role of the employee, they may have the keys to the kingdom. According to a recent Gartner survey, 47% of respondents whose security spending was driven by security risks cited insider threats as a primary concern1.
At first glance, and to those that have been working with ERP, this data is just a job’s day to day numbers and names. However, as you move further and further away from it, it becomes more and more valuable. If an employee quits or is fired, that data could later be used as leverage to get former clients to “jump ship” by undercutting prices and perks. Left active, ERP access can be used to change routing information for paychecks, leaving employees unpaid and unhappy and your reputation in ruins.
But can that doom and gloom be avoided? Of course!
The first basic security task is to turn on and use the inherent controls that your instance of ERP comes equipped with. You already pay for it, so you might as well get the most “bang for your buck”. Next is to use comprehensive logging for the ERP system. Every time anything or anyone touches that system, it needs to be recorded and analyzed to make sure that it fits with normal patterns (this will come more into play shortly). Following that, make sure all access to the ERP is either done on-premises or through a VPN, which severely cuts down on who can attempt to access your systems.
Last, but certainly not least, is basic deprovisioning procedure. This last one may seem like common sense, but it tends to get taken for granted. I’ve personally seen instances where employees leave an organization on good terms and attempted to take company information that they, themselves, contributed to. It was their attempt to have a leg up at their new place of employment. This happened only an hour after they had officially departed from the organization and was facilitated by accessing the ERP system via the company’s VPN that they still had access to. Since the employees were well-respected and not deemed a threat, the deprovisioning was not taken as seriously as it would have been for an employee that had been terminated. But at the end of the day, is there really a difference? An employee who left on good terms is the same as an employee who left on bad terms in that they are both FORMER employees. (Luckily, the logging was comprehensive and verbose, leading to the employees being caught.)
Regardless of where your ERP systems reside, treat them with the value and protection they deserve. And remember: basic is better than bankrupt.
1Survey Analysis: Trends in End-User Security Spending, 2018 https://www.gartner.com/document/3865407
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.