Your company’s Enterprise Resource Planning (ERP) system is probably not as secure as you think it is, or as it could be, thanks to a common misunderstanding about what really is required to protect these types of systems. Many companies falsely assume that keeping their ERP software on their own on-premises servers is less expensive and more secure than cloud-based ERP. However, the opposite is true — and this choice can prove to be a costly mistake.
Your ERP contains the company’s most vital and confidential information — the “crown jewels” of the business. Theft or destruction of this data can halt a company’s operations creating short- and even long-term effects. More than ever, ERP systems are increasingly coming under direct cyberattack. A July 2018 alert from the U.S. Computer Emergency Readiness Team (US-CERT) warned of an increase in the exploitation of ERP system vulnerabilities.
“Research conducted by Cybersecurity Ventures has led to its estimation that ransomware damages will cost the world more than $8 billion in 2018.” They reported “Ransomware will attack a business every 14 seconds by the end of 2019”. And “Global damage costs in connection with ransomware attacks are predicted to reach $11.5 billion annually by 2019.”
The National Cybersecurity and Communications Integration Center (NCCIC) is the Nation’s flagship cyber defense, incident response, and operational integration center. The top 3 suggestions NCCIC recommends for protecting against the threat of ransomware are:
- “Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.”
- “Never click on links or open attachments in unsolicited emails.”
- “Backup data on a regular basis. Keep it on a separate device and store it offline.”
Recommendation number two requires regular user training, but one and three is the responsibility of the IT department in your business.
Impact to your small and medium businesses
“Business management often believes that on-premise hosting of ERP is more secure because it’s behind their four walls or that it’s mostly free if they’re using their existing servers and personnel,” said Ray Rebello, director of product marketing for Acumatica. “But it’s not. They are required to spend a lot of their IT staff time and money keeping the security software and ERP applications up to date. And unless they’re already a large company with an IT staff, they struggle to manage the constantly evolving security requirement on top of their core job duties.”
Furthermore, ERP software can be particularly challenging to secure because it typically features a complex system architecture, with many interfaces and integrations, and because users increasingly must access it via the internet and a wide range of mobile devices.
Also, because ERP supports mission-critical business processes, companies usually have zero tolerance for ERP downtime — which can complicate prompt deployment of security patches and updates.
Addressing these issues with Cloud ERP
Cloud ERP can be vastly more secure than on-premises servers for several reasons, including:
- Dedicated security resources. Cloud providers, such as Amazon Web Services (AWS) and Microsoft Azure, employ large, highly experienced, full-time security teams. They offer a multilayered security strategy, protecting data and securing access. Thus, security software is always updated and patched promptly. Also, cloud providers offer comprehensive monitoring and timely, configurable alerts of security issues that might compromise sensitive systems or data.
- Access control. True cloud ERP users interact with the ERP via a common web browser, which avoid installing software on their PC’s, eliminating device-related threats. Also, for cloud ERP, it’s easier to implement and update role-based security to ensure that unauthorized people aren’t copying data or pulling reports. Cloud ERP can easily handle security for mobile devices, allowing employees to use their own mobile devices, increasing the speed and level of ERP use.
- Data protection. Cloud ERP data is continuously and repeatedly backed up, to enable prompt and complete restoration if disaster strikes. Also, data is distributed across multiple servers, in multiple geographic locations. This makes it harder for cyberattacks to locate a specific company’s data and then copy or corrupt it.
“If you host your ERP on premises, it will definitely be hacked eventually,” Rebello said. “It’s like putting up a sign that says: ‘My data is here, come and get it!’”
Continuous, redundant, off-premises backups of ERP data can be essential to business survival. One company suffered a ransomware attack and not only paid the ransom but also lost crucial business data. After it decrypted its hostage data files, that data turned out to be unusable. So, it tried to reinstall data from its own backups made before the attack — but that data was also worthless because the company had never tested its backup-and-restore process.
An additional advantage of cloud-based ERP security is that it’s not only better than on-premises ERP security, it’s also less expensive. “With on-premises ERP, between hardware and staff time, you’ll annually pay up to 20% of what it costs to purchase the software license,” he said. “That’s like buying your ERP all over again, every five years.”
Further cost effectiveness is supported by the scalability of cloud ERP. Some ERP software providers offer the option of paying for the cloud resources you use, not by the number of users you have. This also allows resources to be reallocated as needed.
Moving your ERP to the cloud frees up precious financial resources that is better used on your business rather than cybersecurity. This can help your company grow, while enhancing resilience to a wide range of threats. Even better, securing your ERP by moving it to the cloud can be easier than you might expect.