Back to Blog

ERP internal security: Three critical risks explained

14 March, 2017
ERP internal security

Security risks concerning ERP can be broken down into internal and external risks. Internal risks are the most critical and are the most complex of the two, since it is about organizing the internal administration of a business which involves setting the right privileges for the right roles.

Internal security is often performed by external parties, with expertise in ERP and not security, who have insufficient information about the business. Once initial security configuration has taken place, the IT department is often then made accountable for managing ERP access levels. In a similar fashion many IT professionals are strongly skilled in IT, but not in ERP security management which opens the door to internal vulnerability.

In our last blog, 10 ERP security risks you need to know about, we explored the potential outcomes of when internal ERP security is not set up correctly – in this post we will take a deeper look into the top three internal risks, and what you need to do to avoid them.

Internal data theft

The main cause of internal data theft and financial loss is through the extraction of critical customer and vendor information from ERP systems. When this information is stolen, it can be sold to competitors and used to advance their market share, potentially damaging the position of your business. It can also be used in bribery, or to cause harm to your customer and vendor relationships.

Internal data theft often occurs unintentionally, such as sharing credentials to help a co-worker, but there are also many cases of intentional data breaches. The reason for this might be a disgruntled employee, or an employee purposely driving illegal insider trading or favouring customers and/or vendors by sharing ERP details. This is why it’s extremely important to be stringent with your ERP privileges and roles, and to review them on a regular basis in line with your employee appraisals.

Data protection is critical, and there is now an increasing focus in European and US regulations to help businesses be more organized in managing their data, which can help to prevent internal and external tampering of information. While the introduction of these regulations is a step in the right direction to keeping data safe, you still need to ensure you are doing everything that you can internally to protect your business.

Malicious use

Based on research, 10% of employees have executed malicious activities with a company’s business data, in an intentional manner. Although malicious intent is not often admitted by leadership, it still accounts for a large proportion of data security issues. This risk evolves around internal employees intentionally misusing the ERP system for the sake of personal benefit or sabotage.

A case that occurred in the Netherlands highlights these risks. The procurement manager had set up a separate firm outside the company that employed him. Due to the open access to the ERP system, the procurement manager started to create purchase orders in the ERP system, addressed to his private company. These orders carried cost items that were hard to detect as no physical goods receipt took place and the procurement manager set himself up to approve these malicious invoices.

By having the right internal security setup, the Netherlands company mentioned above, would have been able to spot this case of malicious use before it could do real damage to their business and their financials.

More devices, more access

A key security and cybercrime risk is the fact that rising technologies such as cloud computing and Internet of things (IOT) have created many new access points into a company’s network and ERP system. Mobile devices, such as smartphones, tablets, external POS systems and web services to mention a few, open the door for additional access points into business systems.

The simple fact is that the more access points ERP has, the more external access becomes possible. In the worst cases, criminals obtain control over the ERP system, enabling the external party to override business operations. This all might sound quite scary, but with the right levels of security and ongoing security management, the cloud and IoT can be safe and secure!

Do you feel like you need to find out more? Watch our webinar on How to keep your ERP secure here, and discover exactly how Dynamic Security Management can protect your business from internal and external threats.