As we wrote recently, a global survey of senior technology executives conducted by KPMG and Oracle revealed that worrying about data security is the thing that most keeps them awake at night. The concern is especially acute for data stored in the cloud, but it also exists for on-premises servers.
For users of ERP software systems, this can be especially troubling. Every ERP system may hold a wealth of information about everything from production techniques to the supply chain and customers, from financial data to employee information, and other highly sensitive, often proprietary secrets.
ERP data security continues to loom as a huge issue during the COVID-19 emergency. Some employees in some states are back in the office, others may still be at home using their own PCs and other devices as they work. Senior executives, in-house counsel, technology directors, and even line employees all must understand and work to mitigate the mounting risks of breaches and leaks, even those that are inadvertent.
There are five must-do steps that organizations need to take in checking ERP data security and then close any gaps that are revealed.
1 – Assume nothing. Begin with the premise that the outcome is unknown. We have lost track of the number of times over the years when a client stated, “But we had everything under control!” when, in fact, the opposite was true.
Making assumptions will put an organization at risk. Surmising in advance where the greatest security risks may be can have a devastating effect on even the most-sophisticated organization.
Rather, consider the evidence that emerges before reaching any conclusions. The bias that bedevils data security is when decisions are not made from facts; even professionals search for information that supports their original assumption.
2 – Use every tool to assess risks. Recognize that no single tool will solve the problem of ERP data security. For example, assuming that a firewall, anti-virus program, and a Security Information and Event Management (SIEM) program is foolproof all but guarantees failure. While essential on their own, their shortcoming is that they miss what might be happening in between their protections.
It is far safer to also assess risks that may arise elsewhere, using things such as network detection and response software. Without a comprehensive solution, a company will only be scratching the surface of knowing the data security in its ERP software system.
3 – Keep an open mind. Something often happens in the brain when a data security professional is testing a system such as ERP: They are accustomed to spotting problems in the same places, which has them looking for something here when the problem may be over there. This raises the possibility of overlooking a danger.
So, it is vital to keep an open mind to what the data is showing, not what anyone expects it to reveal. This does not mean ignoring years of accumulated experience and expertise. It does require including the possibility of chance in the discovery process, to see what might be seen, uncovering a threat where one was not expected to be found.
Relying on the history of what you have always found in the past creates its own bias. It is vital to look at the data from all angles.
4 – Don’t judge in advance. Many security professionals are influenced by what they have been accustomed to seeing on their network. This is what they often look for first and, when they find it, might assume they’ve located a problem.
But what appeared on Monday may not have anything to do with something that is occurring on Tuesday. This sort of judgment call undermines the ability to make a comprehensive determination of the potential risks in the system or the network.
No matter how keen one’s judgment and experience might be, a holistic approach – and solution – to solving a problem is needed. Professionals need to see everything happening on a network.
5 – Beware of what the eye sees. Both state-sponsored and criminal threats often come from what could be considered primarily benign tools to penetrate an ERP software system. Be wary. A small discrepancy that isn’t usually perceived as a genuine threat could well be masking a more lethal attack.
The best security teams look for – and often find – genuine threats in places where they had not been expected or discovered previously. Often, a threat is lurking in a most unlikely place.
Combine the tools you have with the knowledge and experience you’ve gained to separate a threat from legitimate activity.
Never Be Totally Certain
One of the things we have learned as data security attorneys who have spent much of our career working with ERP is that users often hit bad road bumps when they are absolutely, positively, totally certain about an outcome.
Yes, experience and training are important. But security professionals responsible for the safety of an ERP software system must go out of their way to ensure that they don’t have blind spots masking problems that prevent finding a solution to an issue.
If you are a corporate executive, general counsel, or network professional and have questions about ERP data security, feel free to contact us. If we cannot provide an answer, we can refer you to reputable consultants and advisors who can.