Planning for Attack: Security and Cloud-based ERP (IT Toolbox Blogs)

Businesses are vulnerable. As cybercrimes become more frequent and severe, companies are spending more time and money to protect their digital assets. The consequences of a cyberattack can be fatal to even the healthiest businesses: Within six months of a data breach, 60 percent of small businesses close their doors, according to a study by the National Cyber Security Alliance.

Is Security out of Your Hands?

Nowhere is security more of a concern than with cloud-based enterprise resource planning (ERP) applications. Many businesses assume that after they move their ERP system to the cloud, they assume that security is beyond their control. But, there are proactive steps any business can take to help them gain more control over their cybersecurity. This article explores a structured approach to cloud-based ERP security that simultaneously helps make the business responsive and agile in the market.

Despite the security risks, businesses have good reasons for moving their ERP systems to the cloud. In addition to 24×7 cloud-based access to data across multiple departments and geographic locations, competitiveness is a clear reason. There are distinct performance and productivity draws, as well, including customizations and upgrades.


The cloud provider handles the latest integrations automatically, allowing the business to benefit from seamless upgrades to the most advanced ERP software version. Cloud-based ERP is dynamic, assigning additional resources that move with peak demands, making automatic adjustments to work flow. Cost is also an important factor: Businesses can pay monthly subscription fees rather than upfront software and hardware costs. A Hurwitz white paper sponsored by NetSuite reveals that cloud-based ERP can cost 50 percent less than onsite ERP. For these reasons—and especially in businesses where ERP is not the core competency—it makes more business sense to outsource ERP functionality to the cloud.

Security Demands Action, Planning, and Responsibility

With opportunity comes risk. Many companies see the move to cloud computing as uncontrolled exposure that can threaten the very structure of the business. For many other businesses, failure to plan for security has become their biggest nemesis. Commenting on an Onapsis Research Labs study on SAP data breaches, chief executive Mariano Nunez said, “The big surprise is that SAP cyber security is falling through the cracks at most companies due to a responsibility gap between the SAP operations team and the IT security team.”

Rather than discourage and deter enterprises from using cloud-based ERP, businesses should be looking at security as a best practice to strengthen their business. So, although cloud-based ERP vendors take much of the responsibility of software performance and upgrades off the shoulders of the organization, security is not the place for organizations to assume that they can take a hands-off approach.

Businesses that are willing to outsource their ERP functions to the cloud must not assume that doing so means that they’re outsourcing security. Businesses must have basic security hygiene in place to prevent, mitigate, defend, and monitor for security incidents. 

A Proactive Network Security Plan

Security consists of many elements, from network and user security to data protection and user privacy. At a basic level, the business needs firewalls, antivirus systems, and a systemic checklist that includes: 


  • Managing access. Manage users, privileges, and clients, with strong identity and access controls and fraud prevention.


  • Data protection. Protect databases, workloads, and content for secure app development.


  • Monitoring system. Watch for anomalies, threats, and activities through real-time threat intelligence.

Creating a Cyberattack Response Plan

It’s also important to create a cyberattack response plan that covers every conceivable—and maybe inconceivable—security breach that can affect your business. At a minimum, this plan should identify:


  • Job assignments for specific individuals within the organizations;


  • When to call the authorities;


  • A prepared response, prewritten for social and traditional media outlets;


  • A system to provide regular updates to customers, vendors, and the public;


  • Details on how you will contain the incident; and


  • Details on how to recover.

This plan will require testing so that you can uncover any gaps and flaws. These are not actions or decisions that businesses will be able to make successfully at the time of a cyberattack: Planning is essential. The reality is that when it comes to the bad guys, they are always one step ahead of us.


About the Author

SusanSusan J. Owens is a content creator, building fresh insights into white papers, byline articles, and case histories for such clients as Disney, Coca-Cola, Lancaster Pollard, GenCorp, Kellogg’s, and General Electric. She is an analyst for Studio B.

Source: SANS ISC SecNewsFeed @ May 2, 2017 at 12:09PM