Hello Again Sage 500 ERP Customers,LindaCade

I must reluctantly begin this post with an admission that in my heart of hearts I wish for the days of naivete.  After all, I grew up in a small town like many of you in an age when we didn’t even lock the doors at night. Crime was something that happened somewhere else … not in my neighborhood … mischief maybe, but not serious crime.  Yet today on the way to work, I was bombarded with numerous ads warning me about identity theft.  The first thing that happened when I arrived at work was I had to wait for 15 minutes while my desktop completed a security update pushed out by our IT department.  Even my evening entertainment is filled with stories of computer hackers, internet stealth viruses and cyber theft.

cybercrimeIs it any wonder then that one of the top concerns expressed by owners and top executives of small and medium sized mid-market Sage customers was the desire to find peace of mind in knowing that their data was secure?  The business data we manage every day is everything from customer names and addresses to credit card data to investment portfolios to proprietary recipes or formulations to custom specifications and manufacturing methods.  As those ads are so quick to point out, in the wrong hands this information could ruin people’s lives or bring a business to ruin.

Industrial espionage is nothing new.  It has probably been around as long as man has had the capacity for creative thought.  In fact, here are the top 5 “stolen” inventions:

  1. Hans Lippershey actually invented the telescope – Not Galileo Galilee as we were taught in school.
  2. Ernest Duchesne used Penicillin to cure typhoid in 1897 – Waaay before Alexander Fleming was given credit for using it to cure polio.
  3. Antonio Meucci first demonstrated a working telephone in 1860 – Thirteen years before Alexander Graham Bell patented his telephone.
  4. Henri Poincare published works stating the theory of relativity thirty years before Albert Einstein came to prominence.
  5. Heinrich Goebel invented a working light bulb in 1854, which he tried to sell to Thomas Edison.  Edison refused until after Goebel died and then bought that same light bulb as the basis for his own work from Goebel’s widow for a price considerably below market value.

The difference is that back in the day, somebody had to get their hands dirty to steal plans and secrets … or at least hang around and wait for somebody to die.  Not so much today.  Today, all one has to do is tap a few keys on a keyboard and voila … the secrets of the universe are unlocked … or so it seems.  So how does one protect oneself and their business today?  In a blog post by Data Safe Storage, Phil Neray suggested the following steps (which I’ve modified somewhat with some of my own thoughts):

  1. Know where your data is.  You can’t secure what you don’t know about. Track down old applications, rogue databases, non-regulated think tanks, strategic plans, and other intellectual property that may be stored in non-traditional places.
  2. Make certain your operating systems and software are up to date.  Computer software companies test for holes in security as do those who publish operating systems.  When they detect a weakness, they publish security updates.  Those updates do you no good if you don’t apply them.
  3. Leverage the security tools available.  Over the years I’ve encountered countless companies that don’t even use the security tools available to them.
    1. Assign file privileges for database configuration files and options such as roles and permissions.
    2. Assign roles and permissions to users.
    3. Establish rules and parameters around how many failed logins result in a locked account.
  4. Remove or uninstall all database functions and options not in use.  These unused functions and options can be leveraged by external attackers to gain access.
  5. Monitor and Audit for Configuration changes.  Use an alert system to immediately alert the database administrator if the security configuration is changed and log those changes in an externally generated and stored (preferably off-site) log file.
  6. Deploy Database Monitoring Software.  Monitor for unusual activity such as large file downloads, off hours access to sensitive files, multiple access points using the same credentials, etc.  These measures should be applied to all users – especially privileged users with universal or unlimited access.
  7. Authenticate, control access and manage entitlement.  Applying “need to know” standards to sensitive data access is your primary line of defense.  Maybe it’s not such a good idea for that part-time after-school data entry clerk to have full security access to your entire ERP solution.
  8. Encrypt Sensitive Data. Identifying information, credit card numbers, recipes, formulas, or other critically sensitive data should be encrypted using an encryption key.  The encryption key should then be stored off-site in a secured location (such as a safety deposit box) as an added security measure.  When possible, do not store credit card or other financial account information belonging to individuals in your database.  Work with your payment processor to store this information in their PCI / PA-DSS compliant off-site vault.
  9. Mask test data. Remember to protect not only your production data but your test environment as well.  If possible, use a masking algorithm to “cleanse” data used for testing or training purposes.
  10. Utilize a Firewall with SSL Access Encryption. Mobility, cloud connectivity, and hybrid solutions are here to stay.  Use an encrypted firewall to protect your internal networks for cyber-attack. A firewall is the minimum defense against unwanted external access.  And for that really sensitive data, consider sequestering it on a separate network that is not even connected to the external world.[1]

No data is ever 100% secure but with some attention to detail, some vigilance, and using the tools at hand one can find a level of peace of mind – knowing that all reasonable measures are being taken to protect your enterprise data and the future of your business.