Enterprise Resource Planning systems are vital to growing and running a business, especially in the global marketplace. But systems may carry risks, and companies need to have the proper protections in place to keep their data secure, says Rex Moskovitz, senior manager — Cybersecurity and Data Protection Consulting at Rea & Associates Inc.
“Simply having an ERP system isn’t enough,” says Moskovitz. “It needs to be cared for and maintained, and there are internal and external security risks that businesses need to understand so they can mitigate them.”
Smart Business spoke with Moskovitz about the benefits of employing an ERP system and how to keep your data safe.
What is an ERP system, and what are common prevailing risk exposures?
ERPs are a very large computer program with affiliated software that runs an entire organization by automating the business. Once a business hits the $500 million mark, the day-to-day tasks of accounting, HR, supply chain, financial planning and analysis, budgeting and forecasting become too complex, and existing systems can no longer handle the data volume.
The bigger an organization gets, and the more modules that are installed and configured, the more users there are, and it doesn’t have the ability to keep up with all of the roles. Poor roles-based security profile settings allow excessive user privileges and unnecessary access to data.
Data is the new oil. It’s everywhere, it’s very difficult to get, but everyone wants it. To protect yourself internally, have a strong system of internal controls. Do a thorough, robust user profile analysis to determine which employees will have access to which transactions, and that they only have access to transactions that allow them to do their job. Roles-based authorization in ERP systems restricts access and blocks someone from running a report or accessing data they haven’t been authorized to see.
ERP systems also provide licenses for governance risk and control. These automated tools configure user profiles that control access to accounts so that any purchases over X amount need supervisor or manager approval, allowing you to detect and prevent porous threats internally.
In addition, governance, risk and compliance software can continually monitor ERP activities, user privileges and access, validate interface and API testing and support continuous IT – General Controls auditing.
How can organizations protect themselves from external threats?
An independent third party will be familiar with the common vulnerabilities and exposure of ERP systems and can monitor for, identify and detect external threats. In addition, ERP providers continually monitor the external environment and try to break into systems to identify vulnerabilities. And purchasing a maintenance agreement gives you access to service packs, enhancement packs, patch fixes and updates rather than having to install them on your own.
Taking these steps is critical. You don’t have to be a multibillion-dollar company to be at risk — where there’s money, there’s risk. It’s just a matter of time.
How can a company make the leap to a secure ERP system?
The first step is talking to people you work with regularly on complicated matters of tax, audit, accounting and operations. Talk to contemporaries within your industry, as certain systems are more commonly used in certain industries. Once you’ve identified a system, a systems integrators who knows your industry can integrate templates, installing preconfigured models so you don’t have to build from scratch.
Migrating to an ERP system and taking steps to keep it secure is like going into a marriage. It’s very exciting because of the promise of what the marriage will bring, but you need to go in with an open mind, be flexible and understanding, and not boxed in to certain expectations. Most important, expect challenges, and when they do arise, work through them with your employees, your ERP provider, your systems integrator and other professionals.
ERP is an investment in people, technology and, most important, time, that will pay off in increased security and better management of your organization’s data.
Insights Accounting is brought to you by Rea & Associates