1. Lack of security knowledge
Often when it comes to security, most people think of some hackers penetrating the firewall stealing corporate secrets and financial data. Sure, this is what is on the news all the time, and it’s a huge problem every company faces today. However, it doesn’t just end there, what happens if the trade secrets or customer data were stolen by some disgruntled employee in your office, who then sells this data to someone else? What will you do if someone with too much system access places orders for something that is shipped to a fake customer? While the back end is handled by server-side network security, the front end is where much of the real dangers lie.
Therefore, it is crucial to make sure that you as a business understand that not only do you have an external risk, but you should also be aware of internal threats.
2. Limited experience
So, you have a new ERP system, and you spent all this time configuring it, just to find out that the security is full of holes and does not give you sufficient access to perform day-to-day work. This is a problem that exists when trying to set up ERP security by yourself, especially when performing the setup for the first time. Non-tech savvy users can get overwhelmed because often, ERP systems have configurations that must be performed in the back end. When the experience is absent, it typically means that your IT Administrator must get involved with learning the new system and its architecture, which may become a full-time job.
Experience with the ERP system is crucial if you want to get your security and access levels down right. Getting the right people with the right experience in this area is a priority.
3. Limited time
Companies that go live on complex ERP systems and consider security later are certain to encounter problems. For example, when users are deleting or creating records, they should not be breaking the system and messing up financials. It is so important to allocate time for security because this task encompasses the whole company and everyone in it.
Testing is a huge part of the implementation, as you will need to get sign off from key users as well as key stakeholders. Starting the user testing can bring about long debates and conversations about things that were never brought up before, such as segregation of duties. These tasks can eat up time during the implementation, so it’s best to be prepared right from the start, as security work may continue even after you are live on the new software.
4. Wrong tools for the job
Sometimes it’s not a good idea to work on ERP security when it is too complex and time-consuming. Thankfully, there are tools that exist in the market for ERP platforms to help companies get through this quicker. They can offer a simpler user interface that interacts with the system on the back end, eliminating the need for someone with technical skills. These tools can also offer reports that can be as simple or detailed as you need for the task at hand. This information can help the business, and most importantly the security administrator, get work done. For example, Arbela Security Manager for Microsoft Dynamics AX is such a tool that can help companies leverage this task.
5. Old school mentality
The first time that companies upgrade from the legacy ERP, they can be overwhelmed with new and enhanced functionalities the software provides. This also means requirements can change and the legacy way of doing things may become obsolete. A company that was stuck doing things one way may need to change their processes to adapt to the system and its security policies. If you had a worker that used to do everything before, perhaps those job functions should be noted and segregated. Segregating the duties for what a worker can or cannot do helps you be compliant and helps you limit the operational risk. As your system evolves, it is important to take note of such changes and communicate them to the system administrator that will help implement the requirements.
6. Bad requirements, bad security
As the old saying goes, “Garbage in, Garbage out”. One serious mistake that a company can make is to assign all your users full administrator access. Essentially, this means that your multimillion-dollar ERP system is fully wide open for your users to do whatever they wish. When you have inadequate requirements and documentation, your system will not be secure. This is where the business (Auditors, Department Managers) are involved heavily from the start.
The requirement gathering phase in the security implementation is what makes it a success or a failure. Make sure that you are gathering requirements from the right sources who know about their job area and who can tell you what their users can or cannot do. When it comes to auditing, make sure you get the requirements from your finance or accounting department that spell out where Segregation of Duties exist. Identifying these key areas will help the company avoid financial risk, as well as headaches for you and the rest of the company.