Security for your ERP system starts with the system itself and needs to extend down through the operating system to the bare iron. While, it’s not top-of-mind, security is critical as a couple of cases making the evening news demonstrate.
Security is a job, but it doesn’t have to be a major time sink. The biggest part of day-to-day security on an ERP system is making sure everything is properly patched as new security fixes come out.
The first step in a security plan is to put someone in charge of it. This person (or persons) handles everything from making sure patches are installed in a timely manner to setting and maintaining a password policy.
Having someone in charge of security is important, but most of the threats will come from interactions of the users with the system. This is the result of carelessness on the part of the users and deliberate attacks, either internal or external.
The key here is to set reasonable policies for your users and see they are enforced consistently. This includes strong passwords changed regularly and educating your users on social engineering hacks.
At the system level encryption is your friend. You should encrypt data when they are moving and information at rest. Nothing should happen on your network or endpoints that are not strongly encrypted. The modern system can handle the load of encrypting and decrypting data without taking an appreciable performance hit.
At the user level, users must be taught to protect their passwords, for example, and never to share them with anyone, no matter what the excuse. They also need to know what makes a strong password and you need to be sure they are using strong ones.
In spite of the complex and sophisticated attacks available, the majority of breaches are caused by social engineering. That leads to a long litany of dos and don’ts that your users need to be familiar with.
Users need to be trained to spot phishing attacks and how to avoid getting caught by them. As the bad guys get more sophisticated this becomes a bigger concern.
Users need to treat emails, especially unusual emails, like loaded guns and handle them accordingly. They need to know never to open a strange email without checking and to have a healthy paranoia toward emails, no matter who they appear to be from.
Put an absolute prohibition on opening memory sticks on company computers unless the user is completely sure of the chip’s origins and contents. Needless to say, foreign programs, pictures, etc. should never be on your company’s computers.
Keeping your ERP system secure is an ongoing job. If you have good security policies, carefully enforce them, educate your users, and you should have little trouble with security.