Securing your ERP journey to the cloud

A framework for mitigating fraud and cyber security threats in your cloud-based ERP

Cloud-based ERP systems have many advantages over their on-premises counterparts. For example, they possess far more powerful processing power, which enables organizations to make smarter, performance-based decisions through analysis of much greater volumes of data. Their accessibility from anywhere, at any time, from any device, makes managing HR, finance, production units, and supply chain logistics considerably more efficient. They also cost much less to establish and operate.

But this doesn’t necessarily mean all clear skies ahead. Your ERP journey to the cloud could lead you through all kinds of stormy weather if you don’t take the right steps to secure it. This is because operating in the cloud leaves your ERP system open to significant fraud and cyber security threats – from hackers, cyber criminals, and even your employees. 

Read this paper to learn about the multiple types of risks for ERP in the cloud and how to mitigate them.

Securing your ERP journey to the cloud
To mitigate cloud ERP implementation and operational risks, plan early and budget sufficiently for in depth security and controls.
Cyber and data security protection depend on the joint effort of people, process, and technology.

A framework for securing the cloud ERP

KPMG has developed a multi-element framework that can help you take full advantage of a cloud-based ERP system’s capabilities, while simultaneously protecting your organization’s sensitive data and transactions from fraud and cyber security risks.


Application controls

The key to application controls is automation and prevention; the more you automate your processes and controls – and the less you leave to manual action – the better your odds of preventing or mitigating fraud or theft risk. This portion of our framework takes into consideration business process controls, enhancement and configuration controls, and conversion and interface controls.


Application security

A guiding principle to cloud ERP security is that the same individual shouldn’t be able to control all aspects of a transaction. Rather, your process should require multiple people signing off at various steps for the transaction to proceed. Multi-factor authentication (MFA) is another valuable “check and balance” method many organizations use to protect their most sensitive and mission-critical assets. Here, the framework addresses adaptive authentication, role-based access controls, cloud application security architecture, and sensitive access and segregation of duties.


Cyber and data security

It takes more than just technology upgrades to prevent or mitigate cyber and data security risks. Cooperative collaboration between the business and IT is critical. And employee awareness and training programs, an increased cyber security budget, and additional training for cyber security team members are highly effective. This element of the framework will help you tackle information protection, cyber security, business and technology resilience, and privilege administrative access.


Security operations

As cyber threats are constantly evolving and changing, so too must your cloud ERP security operation. It’s unlikely to work well if it’s done piecemeal, narrowly targeted to address a specific issue, or forgotten about once it’s in place. The areas we cover in this portion of the framework are enhancement management for security and controls, and cloud ERP security and controls operations.


User administration and governance

A key finding in a cloud threat report we co-authored with Oracle in 2018 was that more than 80 percent of cyber leaders suspect that employees fail to follow cloud security procedures. So, the more stringent your user administration and governance controls, the safer your environment will be. This component of the framework addresses user access management and certification, password management, and user analytics.