Business Software and Security

Source: Äri-IT Autumn 2024

Author: Janar Randväli, Head of Information Security

Protecting your company’s data secures a competitive advantage, reduces risks, and strengthens relationships with clients and partners.

I often encounter clients who simply want everything to be secure without having to worry. As a person, I understand this desire, but as a job requirement, it’s a non-functional demand and very difficult to understand uniformly, especially when one party represents the client and the other the service provider.

Enterprise Resource Planning (ERP) systems are often the lifeblood of business management, integrating various business processes and data into a unified system. The security of such systems is crucial, as they contain sensitive information vital for the company’s operations and competitiveness. It’s essential to consider security during the ERP system’s planning phase, assess risks, and select appropriate security measures.

It’s encouraging that more companies are addressing security issues when procuring ERP solutions, setting expectations that the system must meet.

madega ehk lahenduse nõuetes on ootused, millele süsteem peab vastama.

Address Security from the Start

1. Building security must begin in the planning phase. The first and most important step is to understand what data will be integrated into the ERP solution and how it will be used. Different types of data dictate the level of security required. For example, processing personal data is subject to strict regulatory requirements, but protecting trade secrets, such as financial and technical know-how, from competitors is equally important.

2. The second crucial step is to understand the risks that may arise from implementing the ERP solution. The right time to start mapping risks is during the business process analysis, ensuring that essential security requirements are considered when defining functional requirements. This approach helps in accurately selecting both the solution and the development partner.

3. The third important step is technology or solution selection. Today, a wide range of ERP solutions with varying functionalities and user interfaces are available. While price is a significant factor, various functional criteria must also be considered to meet business needs and mitigate associated risks.

What to Pay Attention To?

The following is a small but important selection of topics to consider when choosing a solution:

• Security: A primary indicator is the presence of certifications (ISO27001, HIPAA, etc.). If these are absent, security should be further evaluated.
• Deployment: Decide whether a cloud-based solution is suitable or if all data and the solution must reside in your controlled server room.
• Access Control: Determine what user rights and access control functions the solution supports and whether it integrates with your existing environment and is sufficiently secure (e.g., support for Microsoft Entra ID Single-Sign-On).
• Data Protection: Identify what security features are available to protect data. Depending on the dataset, granular user rights management, data encryption, and security event monitoring are essential.
• Vulnerability Management: Assess the solution’s vulnerability management capabilities and the ease of performing regular updates.
• Backups: Check if the solution provides automatic backups and what additional backup options are available. Consider not only the speed of system recovery but also protection against ransomware and data theft.
• Logging and Monitoring: Ensure that important events can be logged and that automatic alerts can be set up to detect anomalies or unauthorized activities.

Key Factors for Choosing a Successful ERP Solution Development Partner

The above list is not exhaustive, and a detailed risk analysis will significantly simplify the selection of security requirements.

The fourth and equally important step is to find a suitable ERP solution development partner who is willing to be involved in every stage, from defining functional requirements to ongoing system maintenance. A prerequisite for finding a good partner and maintaining client relationships is to do your homework thoroughly (including the first three steps) and communicate your business needs, associated risks, and security requirements. The partner can significantly assist in defining these functional requirements, but the client must make the decisions.

When selecting a partner and assessing security, consider several key criteria. Verify that the partner has security certifications (e.g., ISO27001) and GDPR compliance. Evaluate their security measures, incident management, access controls, and software update management practices. Experience, reputation, and client feedback are the best indicators of a partner’s reliability.

These questions may seem simple, but answering them is often more complex than expected. Thoughtful answers will help you understand your business needs, find a suitable development partner, and maintain focus and good client relationships.