How safe is your ERP?
A few years ago, one of the major concerns with ERP was security. In a competitive ERP market, few suppliers may rush to provide more features to secure business, leaving security as an afterthought.
Van de Riet, Janssen, and Gruijter (1998) summarized:
“ERP experts have to provide explicit and well-defined security policies that can be easily defined and maintained. The security policies will offer the rules for the access of subject to object, and these are the constraints put on the administrators when they are granting or denying permissions to the users”.
ERP Security Today
For most enterprises, ERP security starts with user-based controls where authorized users log in with a secure username and password. Enterprises then limit a user’s software access based on their individual, customized authorization level. For instance, an accounts payable clerk should not have access to inventory management module within the ERP software.
About half of all organizations do not configure their ERP software to maintain audit logs because they are concerned about performance degradation. In a compromise between security and performance, enterprises can avoid logging every detail of system activity and focus on meaningful information that’s relevant to the transaction.
ERP security focused on the internal controls that aim to limit user behavior and rights while organizations rely on network perimeter defenses to keep unknowns from accessing the ERP software. However, increasingly integrated information systems with numerous system users require new levels of transaction-level security.
According to Gartner, “enterprises should consider the overall set of security functions and controls that permeate the entire environment that will be running trusted transactions.”
Applications remain highly vulnerable to external security threats. Most organizations fail in their ERP security efforts because they implement software with a plan that leaves controls design and implementation until the end of the process. The biggest drawback of relying on internal controls for ERP security comes from the costly and time-consuming maintenance of those controls. As employees are promoted, reassigned or terminated, organizations must continually update their business software with each employee’s authorization level.
A recent Gartner audit revealed two important points:
- Duties within the purchasing process have not been adequately segregated. As a result, personnel could gain control of the entire purchasing cycle, resulting in errors, irregularities or fraud.
- A lot of users have been granted inappropriate authorities in the Financial Accounting and Controlling modules.
Continuous Monitoring as the Solution
The concept of continuous transaction and incident monitoring goes above simple procedural rules and transaction logs to incorporate advanced analysis to identify irregular transactions and determine if the transaction indicates fraud, misuse or error. Continuous transaction and incident monitoring acts as the ultimate layer of security from outsiders who penetrate the network as authorized users.