When business-sensitive data is hacked or leaked the consequences can be disastrous for an organisation. ERP (enterprise resource planning) systems can be particularly attractive targets for hackers because to a cybercriminal they look like honeypots of valuable data. Whether that data is customer credit card details, business financial data or intellectual property, if cybercriminals obtain it they can sell it on the underground economy. Other risks include hacktivism where groups will post sensitive customer data publicly to highlight security flaws, which can significantly impact a company’s reputation, or cyber-espionage whereby competitors obtain access to valuable intellectual property.
We believe industrial companies and manufacturers could be playing catch-up when it comes to security. Banks, government agencies and B2C retailers have long been at higher risk of attacks due to the nature of the data they hold and the regulations surrounding this data, but they are not the only targets. Research from internet security firm Symantec shows that attacks on smaller firms (those with less than 250 employees) now make up 43% of all attacks observed, and the manufacturing industry tops the table as recipients of malicious spam. Apart from the impact on customer operations and business reputation, it’s a company’s own legal responsibility to ensure that data is properly secured, encrypted and protected, with hefty legal fines (to say nothing of the loss of business) for non-compliance.
As hacking techniques continue to evolve in their sophistication, those responsible for protecting ERP systems have a plethora of issues to consider: are firewalls secure, are passwords complex enough, are systems regularly patched and updated and are staff adequately trained, so that cybercriminals can’t get in through the back door via a Trojan horse infected email? Many IT managers have been led to conclude maintaining on-premises ERP systems securely is a time-intensive and expensive challenge, and are looking into cloud-based alternatives in order to delegate application security responsibilities to a more qualified team.
In modern reality, security threats are mitigated when a company is hosting ERP in the cloud as opposed to on premises. Vendors entrusted with ERP business information maintain highly secure datacentres, protected 24 hours a day, 365 days a year. They invest in the latest intrusion detection systems, have fully trained expert staff, and take on the responsibility of keeping data secure, encrypted and protected.
However, there are several considerations organisations must be aware of when moving ERP systems to the cloud:
- Is cloud right for you? It may be that your business is comfortable with the security measures, back-up, patching and upgrades programme it currently employs, and that fixed and mobile security are both equally considered.
- Verify the security steps that your cloud ERP vendor deploys. Do they encrypt data while in transit, provide intrusion detection systems and hire certified and background checked employees? Is the vendor audited by an independent review organization? Are they able to provide transparency into their policies and processes?
- Check the regulatory requirements pertinent to your business and the geographies you operate in, and ensure that any PII (personal identifiable information) or other sensitive data will be well protected by an ERP vendor which has proven security experience and can demonstrate best practices in systems management procedure.
- Hacks and data leaks can often stem from a lack of employee understanding or vigilance, whether that’s around your security processes or the implementation of systems.Remember that while business growth is to be celebrated, with growing numbers of users comes a growing risk that someone is going to do something careless. Education is the key to ensuring that employees aren’t the weak link in your security chain and putting training and best practices in place can mitigate this threat.
If organisations are confident that the above points have been heeded and all preparatory steps have been taken then relocation of ERP systems to the cloud is recommended. However, companies need to feel assured that they are employing the right cloud vendor and its employees are fully trained before making this shift.
[su_box title=”About Craig Downing” style=”noise” box_color=”#336588″][short_info id=’82770′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.