A major concern for clients, customers, and businesses with enterprise resource planning (ERP) has been data security. Many people have doubts regarding data security in the cloud version as well. Generally speaking, during ERP implementation, clients tend to focus more on prioritization of activities, core ERP functionalities, deadlines and financial constraints. The data security aspect somehow gets lost in the milieu of cacophony.
According to global IT research firm Gartner, “enterprises should consider the overall set of security functions and controls that permeate the entire environment that will be running trusted transactions.”
According to a survey conducted by Deskera, a global leader in cloud-based ERP, around 55% organizations do not configure ERP for maintaining audit logs since they worry about degradation in performance. In a tussle between performance and security, it is usually the former which walks away the winner.
Kinds of security risks that organizations implementing ERP software face
Organizations face three kinds of risks as far as ERP software is concerned and therefore these are the tips for avoiding data security issues:
(1) unauthorized access. ERP software generally comes with a set of standard roles which are allocated to users on the basis of their functional tasks in the organization. Consequently, clients plug in user-based controls and limit a user’s software access on the basis of their customization and authorization level. For example, an accounts clerk would not possess access to the inventory management module in the ERP. However, there is a risk of users creating fraudulent transactions, making unapproved updates, or submitting entries with transaction errors that are preventable.
(2) The second risk could be noncompliance with security or regulatory requirements.
(3) The third security issue arises when all of a client’s needs is not met by the ERP as they didn’t accurately report their requirements to the ERP vendors, thus to make up for their absent functionalities they end up using other software which may have security issues of their own.
Loopholes during implementation responsible for security loopholes
(4) It is only when serious security breaches occur after the ERP system has been set into motion that businesses and individuals start to take note of it. Omissions and commissions made during implementation are usually responsible for potential security risks. The scenario may lead to companies having to make corrections after they have gone live, which is a tedious, expensive and disruptive process that could result in bottlenecks and loss of productivity. Moreover, a compromised ERP system as far as security is concerned can eventually lead to operational hurdles, data privacy issues, and fraud.
Continuous monitoring is the only solution
ERP vendors as well as clients need to adopt a 360-degree approach as far as security and controls are concerned. They need to focus on specific client requirements and manage risks by devising strategies aimed at protecting integrity, confidentiality of information, and accessibility.
(5) The approach should be to focus on risk minimization during the implementation period itself and avoid expensive rework. With increasing number of users and progressively more complex and integrated information systems, new levels of transaction-level security would be required. But above everything else, the concept of continuous monitoring has to be weaved into the ERP software so that irregular transactions or fraud are identified and prevented.