Photo: Pogonici/iStock/Thinkstock
ERP system security is not as simple as putting a padlock on your keyboard, but direct access to the physical hardware is still the number-one threat to your company's business system.

Priorities for ERP Security

Aug. 18, 2014
With the proliferation of devices and the pressure to give customers expanded access online, the threats to your data multiply but the top priorities remain the same. Here are your ten best moves to protect your “crown jewels.”

Every so often we get a round of screaming headlines in the popular press about a massive data breach at a national retailer or some other organization — credit card numbers stolen, social security numbers, credit information — and a public post-mortem examination of how it happened. Meanwhile, electrical distributors are asked to respond to a crescendo of requests for more access. Customers want to see into their accounts and shop on a richly detailed website full of product data that shows their real pricing. Salespeople want to use their tablets and smart phones to pull up comprehensive customer account data. And the technology sector rumbles ahead, telling us that all that data should be moved to some far-off data center in the cloud.

Amidst all this commotion, it’s hard not to feel vulnerable and impossible not to be confused about where the true priorities lie in protecting the “crown jewels” of the company — customer data, vendor data, purchasing histories, pricing, company financials, employee data and all the rest of it — the critical intelligence on which many distributors seek to build an advantage in the market.

In talking to some of the electrical industry’s technology people about how all this turmoil affects distributor data security, what may be most surprising is how little the priorities have actually changed. Gathered from those conversations, here are some guidelines for addressing the key vulnerabilities, new and old.

1. Allow access only to the data necessary for the job.

Reports of credit card numbers stolen on a massive scale by intrepid hackers from far-off lands are impossible to ignore, but a look at your data security shouldn’t start there. Just as it was in the days of mainframes and dumb terminals, the first place you should focus in evaluating your company’s data security is with your own people, policies and processes.

“Employees are still the key vulnerability — which employees have access to what,” says Andy Berry, V.P. and general manager of the Global Distribution Business Unit for Infor, New York. “If a salesman leaves he could go to a competitor, and you have to worry about what kind of data he has.”

Physical control of a device on the network is still the most effective way to break into a computer system. Strong passwords that expire often are still your first line of defense, so if an intruder does obtain password access, it can only be for a short period of time. The best protection is to train your people on good computer security and password practices and enable the system’s capabilities to log every interaction with the core ERP and alert you to any unauthorized activity, and you need to review those logs on a regular basis.

Additional policies to consider now have to include restricting people’s use of USB-connected devices including flash drives and smart phones. A recent report showed that any device connected by USB can be coded to mimic any kind of input, even duping the system into thinking it’s a keyboard, typing in commands that give it access to the system, or a network card, rerouting your Internet traffic so everything the system communicates can be captured. The report from SRLabs highlighted that innocently downloading a smartphone app that has hidden malware and then connecting the phone by USB can allow it to infect the whole system.

As CNNMoney’s Jose Pagliery wrote in the website’s coverage of the report, “It’s time to start thinking of smartphones and USB Flash drives like toothbrushes or razors — for personal use only.” (For links, go to this story on

Modern ERP systems help by giving you tight control over permissions. Some also provide security features such as one-time passwords that can be used in situations where someone whose job doesn’t require constant access to sensitive information needs that access for a defined project.

2. Clean up after terminated employees

Access concerns are heightened in a bring-your-own-device (BYOD) environment where employees use all manner of devices including personal smart phones and tablets to pull up customer account and pricing information.

It was a bit of a surprise to find that the software vendors are not very concerned about security vulnerabilities related to BYOD. It turns out this is because access to data can be tightly controlled when a device connects via a smartphone app or a web browser so that a user sees a reflection of the data in the core ERP but can’t get into the actual data.

All the same, you need to think through the amount of data, especially customer-specific data, provided to salespeople. Modern customer-relationship management (CRM) systems can be synchronized with the core ERP without giving the devices they’re carrying access to the ERP system itself, but that data can be enough to do damage. If you set it up to place orders, you have to start exposing cost data and customer data and then you have to worry about what could happen with that information.

When the time comes to part with an employee, you will want the capability, provided by some but not all of the CRM and ERP systems, to wipe company data from any device remotely and shut off that device’s access to the company’s systems. Do this before you tell them of your decision to part ways, whenever possible.

3. Handle customer access requests on a case-by-case basis.

The continuing crescendo of customers demanding deeper access to their accounts requires another layer of access control. Berry of Infor says this is an evolving area of security where different distributors are taking different approaches and no clear best-practice has emerged.

Distributors on the cutting edge of figuring this out are conscious of exposing more data and trying to determine how much to provide — do you give them access to core ERP or do you build e-commerce portals that provide self-service data?

Either way, Berry recommends reviewing and approving customer access on a strict case-by-case basis and keeping a close eye on what happens at those access points. This is an area where bringing in a third-party data security specialist to audit and penetration-test your system would be well advised.

4. Keep your system up to date.

By some estimates 66% of ERP system users are not on the latest version of their software. You don’t really have to have the very latest version to stay secure, but you have to be on a version that is still within the provider’s support window so they keep sending you service pack updates to protect your system from emerging threats. On top of that, your IT team needs to pay attention to security reports regarding outside software that is critical to your ERP system’s functioning such as Microsoft Windows, Java and your core database platform.

5. Consider the Cloud

Across the board, the experts consulted for this story said cloud systems are as good or better (most say better) than locally hosted systems in terms of data security. This may seem counter-intuitive in the sense that you take better care of your kids than the babysitter does. That analogy falters, though, when you consider the constantly changing threats to your data security. Cloud data centers are built from the ground up with security in mind, including armed guards, undisclosed locations, multiple backup systems and teams of experts in data security whose only job is to know about emergent threats as soon as they emerge.

With a cloud-based system, you still have to be concerned about who has access to what, but hosting in the cloud gives you added security advantages. Steve Hackbarth, director of software development for open-source ERP provider xTuple, Norfolk, Va., says, “A cloud-based system is vastly more secure than locally hosted system. Most users keep the system on a network that employees work on every day, and they’re human — they sometimes open attachments — so it’s not all that difficult for intruders to gain access to the machine on which the ERP is being run. In the cloud, if you’ve got your ERP up on Amazon, for example, it’s still possible for an intruder to take over one of your users’ computers. If a user’s password is compromised, the intruder could log in as that user, but they have to suck data through the tiny straw of that user’s access. On a locally hosted system, even if you trust your employees, it’s a bigger threat because the intruder only has to take over one account to have full access.”

The other key security benefit of cloud hosting is that it means you’re always running the latest, most secure version of the ERP software (see #4 above).

6. Lock down your network and encrypt your data.

Make use of the latest thinking in using and maintaining firewalls between your network and the outside world. Consider having a separate access point for guests to access the Internet, such as customers waiting on an order at your will-call counter. For outside sales and other positions that work remotely, set up a virtual private network (VPN) client to control secure access.

End-to-end data encryption is the best way to thwart an intruder from being able to use whatever data he grabs. With the revelations over the past year or so about governments gaining backdoors to trusted encryption systems, there are new concerns about vulnerabilities that could be exploited by others. For the purposes of most electrical distributors, though, those systems can still be considered much more secure than unencrypted data.

As for what encryption to use, open-source encryption protocols such as TrueCrypt or GPG (an open-source implementation of the OpenPGP protocol used to encrypt email communications) are widely considered a better bet because there’s a worldwide community engaged in reviewing, critiquing and improving the code as it changes over time.

7. Make sure your ERP is PCI compliant

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a critical issue if you accept orders by credit card, and if you’re doing any e-commerce at all the credit-card portion of your business is surely growing.

To be compliant, the system cannot store customer credit card numbers in any way in a non-heavily encrypted format. Those numbers cannot include the three- or four-digit security code. Those numbers should never be retrievable to employees beyond the last four digits. There are numerous back-end requirements about having powerful firewalls, very strong passwords, no ‘back doors’ and tight controls on data and backups.

Most ERP systems used in the electrical distribution industry are PCI compliant. Epicor’s Eclipse ERP system, for example, encrypts credit card data from the point of capture and never stores credit card data anywhere on the system — instead it’s replaced with a token issued by a secured third-party provider, says Sean Smith, director of Eclipse product development. The idea is that the data can’t be compromised if it’s not on the system in the first place.

“We used to hold credit cards in our system, and it still makes me nervous when a contractor asks to write down a credit-card number,” Smith says. “With tokenized compliance, Eclipse is now very good in that regard.”

8. Be wary of modifications and add-ons.

Custom modifications are frequent sources of unrecognized data exposure. This could lead to tough choices for any company staking its reputation on innovation or just seeking to improve its online offering beyond the standard packages available from the ERP providers, but it’s crucial.

A good rule, says Hackbarth of xTuple, is to stick with open standards. “Most of the vulnerabilities we see relate to security measures users tried to concoct for themselves,” he says. “The best practice is to hew to some sort of open standard and try not to do hacking around the corners — that’s where the most egregious vulnerabilities can occur. It’s tempting to add new functionality to open up something for convenience of customers. The short-term benefit is undeniable, but it represents a security concern.”

If you do modifications, especially those that involve granting a customer access to your core data, bring in an outside security consultant for an audit.

9. Use the system’s report and analysis functions.

One of the easiest ways for a distributor to lose control of critical data comes at that point where you need to do some analysis on customer types or pricing or financials and the necessary number-crunching isn’t supported by the ERP system, so the data all gets exported into Excel spreadsheets and various databases for the purpose. Once that begins to happen, it’s very easy to lose track of those files and who has had access to the data. The best way to avoid this is to select an ERP system with all the reports you might need built-in.

10. Put security near the top of your list when selecting a new ERP system.

When you reach the point of replacing an existing ERP system, it’s the ideal time to get up to date on the latest threats and have your concerns addressed. Most of the system providers have a good handle on security, but don’t assume anything. Ask ERP software providers you’re evaluating about encryption, access controls, security concerns about support software such as the versions of Windows or Java they use, how the system logs exceptions and communicates alerts, processes for granting outside or temporary access, the amount of on-device storage in BYOD applications, and anything else you can think of.

The processes for securing your data will continue to change over time, as the threats and hacking techniques evolve, and you need a partner who has the process down for protecting the “crown jewels.” But your focus on security cannot stop there. Actively managing access to core data internally and externally, keeping an eye on known potential weaknesses around custom modifications and custom reports, and using the expertise of security audits and cloud hosting can take you most of the way to running a system in which your data is reasonably secure. In the evolving landscape of data security, that’s about the best you can do.