For some time now, we have been urging Chief Executive Officers to pay closer attention to the data security of their ERP software systems. Understandably, CIO’s and senior people in technology departments rate the issue as one of their biggest worries, but now comes word that Chief Financial Officers are becoming concerned about ERP data security, as well.
Indeed, a global survey of CFO’s finds it is as big a worry to them as the financial matters they deal with on a daily basis. Consulting firm Protiviti reports that 84-percent of CFO respondents in its study stated that “security and privacy of data” tops the list of their priorities for 2020 and beyond.
For CFO’s whose company has an ERP software system, it must be especially worrisome.
Not only does ERP hold mountains of data about the manufacturing process stretching from the supply line and inventory to customer lists and shipping details but reams of financial information. For many systems, this likely includes accounts receivables and corporate banking information as well as payroll which can provide a backdoor into employee bank accounts for cyberthieves.
Bad News from the Dark Side
The Department of Homeland Security has been warning about threats to ERP systems and in late August 2020, the newest threat emerged from a well-organized group of cybercriminals that calls itself DarkSide, likely taken from the Star Wars film franchise in which the character Yoda proclaimed, “the fear of loss is a path to the dark side.”
After announcing in an audacious news release its intention to launch highly targeted ransomware attacks, its first salvo reportedly netted the gang a $1-million payoff from a victimized company.
For CFO’s worrying about their ERP software system, this is just one additional potential threat. As a result, finance teams are stepping up to play a key role in enhancing the data security and privacy of ERP and need to work closely with the technology department in developing innovative methods for assessing, quantifying and maximizing the investments made in cybersecurity.
It is happening not a moment too soon.
Crowd Research Partners and ERPScan reports that over the past few years, there has been a dramatic uptick in the number of attacks on ERP software systems by both private and state-sponsored criminals. After the Covid-19 lockdowns resulted in people using their own, often inadequately protected, personal devices from home, ERP has become an even-more inviting target.
CFO’s Playing a Key Role
In organizations that lack an in-house legal department, the task of considering proposals from ERP vendors and integrators often falls to the Chief Financial Officer. In many respects, this makes sense because the price tag always is high, and a CFO is responsible for watching the entire budget.
But being handed the responsibility can be problematic for many CFOs. ERP software systems are unlike any other piece of technology their company buys or uses, and the contracts are unlike anything they may see during their career.
Here are four basic things a CFO should know when discussing acquiring a new or upgraded ERP software system.
1 – We tell this to all clients at the start of their ERP process: Do not sign the template contract a vendor and integrator will present to you. They always are one-sided in favor of the sellers and need to be carefully renegotiated.
2 – To help protect against possible cyberattacks, when discussing contract terms with a vendor have them put in writing the protections the steps they will take to minimize a breach or incident. If you and your IT department do not feel it provides adequate data security, make them include additional safeguards – and have it written into the contract.
3 – Since CFO’s are charged with watchdogging all of a company’s budgets, along with the total cost specify in detail how changes will be authorities and who has the power to approve them. ERP software system installations and implementations are notorious for vastly exceeding the amount specified in a proposal and contract, and limiting who can approve change orders is one key way to keep a lid on the total cost.
4 – Make sure that your HR staff or employee relations consultant prepares a comprehensive change management project that dovetails with the operational training that will be done. If ERP is new to your organization, it will change the way many employees do their job. Include a section on maintaining data security and privacy once the system goes live. Just as “loose lips sink ships” was seen and heard everywhere during World War II, a loose password will make it easier for cybercriminals to penetrate even the most thorough security precautions.
Don’t Go It Alone
Whether a CFO has some responsibility for protecting the data security of an existing ERP software system or is beginning the process of installing the organization’s first project, do not go through the process alone. While outside consultants may be expensive, they charge a tiny fraction of what the vendor and integrator will cost – especially if there is a problem during integration and implementation.
We can refer you to independent, technology-agnostic ERP and data security consultants.
We have devoted our career to negotiating and drafting ERP contracts, and litigating disputes when they arise. We will be happy to share our knowledge and experience with you.
Please feel free to send us an email or call 312.840.4320.