Your ERP system contains everything an attacker wants: customer payment data, employee social security numbers, vendor banking details, proprietary pricing, and financial records. A breach does not just cost money. It costs trust, and trust takes years to rebuild.
The 2025 Verizon Data Breach Investigations Report found that enterprise applications are targeted in 34% of breaches, up from 22% in 2022. ERP systems are particularly attractive because they are the connective tissue of the organization. Compromise the ERP and you have access to everything.
Yet most mid-market companies treat ERP security as an afterthought. Default passwords, excessive user permissions, unpatched systems, and no audit logging. I have seen SAP Business One instances running on servers that had not been patched in 14 months. It is shockingly common.
This guide covers practical security controls that work for real companies with limited IT resources. Not theoretical frameworks that require a 20-person security team to implement. Concrete steps you can execute this quarter.
Access Control and User Permissions
Role-based access control is the single most important security measure for any ERP system. Every user should have the minimum permissions needed to do their job, nothing more. A warehouse worker does not need access to the general ledger. An accounts payable clerk does not need to modify vendor bank details without approval.
Segregation of duties prevents fraud. The person who creates a vendor should not be the person who approves payments to that vendor. The person who adjusts inventory should not be the person who reconciles it. Map your SoD requirements before configuring roles. SAP, Dynamics 365, and NetSuite all support SoD enforcement, but you have to configure it intentionally. Out of the box, most ERPs are far too permissive.
Implement multi-factor authentication for all ERP access, no exceptions. Cloud ERPs like NetSuite and Acumatica support MFA natively through their identity providers. On-premise systems like SAP Business One may require integration with Azure AD, Okta, or Duo Security. The cost is negligible compared to the risk. A $15 per user monthly Duo license is cheap insurance when your ERP holds $50 million in annual transaction data.
Review user access quarterly. When someone changes roles, their old permissions should be revoked within 48 hours. When someone leaves the company, their ERP access should be disabled the same day, ideally within hours of HR processing the termination. Automated deprovisioning through your identity provider eliminates the manual gap where orphaned accounts accumulate.
Data Encryption and Network Security
All data in transit must be encrypted with TLS 1.2 or higher. This is non-negotiable in 2026. Cloud ERPs handle this automatically, but on-premise deployments sometimes still run internal traffic unencrypted. If your ERP traffic between the application server and database server is not encrypted, fix it immediately. Attackers who gain internal network access can sniff unencrypted database queries containing sensitive data.
Data at rest encryption protects against physical theft and unauthorized database access. Most cloud ERP vendors including NetSuite, Dynamics 365, and Acumatica encrypt data at rest using AES-256 by default. For on-premise installations, enable Transparent Data Encryption on your SQL Server or PostgreSQL database. The performance impact is 3% to 5%, which is acceptable for the protection it provides.
Network segmentation isolates your ERP from the broader corporate network. Place your ERP servers in a dedicated VLAN with firewall rules that restrict access to only necessary ports and source addresses. If your ERP is on the same network segment as user workstations, a compromised laptop is one lateral movement away from your financial data.
API security deserves special attention as integrations multiply. Every API connection to your ERP, whether it is your ecommerce platform, EDI middleware, or business intelligence tool, is a potential attack vector. Use OAuth 2.0 or API key authentication for all integrations. Rate limit API calls to prevent abuse. Log all API access and review logs weekly for anomalous patterns. One Dynamics 365 customer discovered a compromised integration key that had been making unauthorized data exports for three weeks before anyone noticed.
Regulatory Compliance Frameworks
SOX compliance affects any public company and many preparing for IPO. Your ERP must maintain complete audit trails for all financial transactions, enforce segregation of duties, and support internal controls testing. Key SOX controls in ERP include: approval workflows for journal entries, automated three-way matching for accounts payable, user access reviews, and change management logging for system configurations. NetSuite and SAP provide pre-built SOX compliance reports. Dynamics 365 offers them through the compliance center add-on.
GDPR applies if you have any EU customers or employees, regardless of where your company is located. Your ERP must support data subject access requests, the right to erasure, and data portability. Practically, this means you need to locate all personal data for a given individual across customers, contacts, employees, and vendor records, and export or delete it on request. Most ERPs can do this, but few make it easy. Budget for custom report development or a GDPR compliance add-on.
Industry-specific regulations add another layer. FDA 21 CFR Part 11 for life sciences requires electronic signature capabilities and complete audit trails for any system affecting product quality. PCI DSS for companies processing credit card payments dictates how payment data is stored and transmitted. ITAR for defense distributors requires controlling access to technical data at the user and field level. Verify that your ERP vendor has documented compliance capabilities for your specific regulatory requirements.
Document everything. Compliance auditors want evidence, not promises. Maintain written security policies, signed user access agreements, documented SoD matrices, quarterly access review records, and incident response procedures. Store these outside the ERP itself in case the system is compromised. A simple SharePoint or Confluence site dedicated to ERP compliance documentation saves enormous time during audits.
Audit Logging and Monitoring
Enable comprehensive audit logging and fight anyone who tries to disable it for performance reasons. Every login attempt, every data modification, every configuration change, and every report export should be logged with a timestamp, user ID, and before/after values. Yes, this generates significant log data. Modern storage is cheap. The alternative, having no forensic evidence after a breach, is expensive.
Implement real-time alerting for high-risk activities: vendor bank detail changes, user permission escalations, bulk data exports, and off-hours access from unusual IP addresses. Most cloud ERPs support webhook-based alerts that can feed into your SIEM or even a Slack channel. An Infor customer caught a phishing-compromised account within 20 minutes because they had an alert on after-hours vendor master changes.
Review audit logs with a purpose, not just as a checkbox exercise. Weekly reviews should focus on: new user accounts created, permission changes, failed login attempts (more than 5 from a single account suggests a brute force attempt), and any activity by admin or service accounts. Monthly reviews should cover: dormant account identification, SoD violation scanning, and API access pattern analysis.
Retain audit logs for a minimum of seven years for SOX compliance, or as required by your specific regulatory framework. Ensure logs are tamper-proof by writing them to a separate system that ERP administrators cannot modify. Cloud ERP vendors typically store logs in their own infrastructure, but verify retention periods in your contract. Some vendors purge logs after 12 months unless you pay for extended retention.
Vendor Security Assessment
Before selecting a cloud ERP vendor, conduct a thorough security assessment. Request their SOC 2 Type II report and read it carefully, not just the opinion letter but the detailed control descriptions. Pay attention to any noted exceptions or qualified opinions. SOC 2 Type II means their controls were tested over a period of time, typically 12 months. Type I only confirms controls exist at a point in time, which is significantly weaker assurance.
Ask specific questions about data residency, encryption key management, incident response timelines, and breach notification procedures. Where is your data stored geographically? Who holds the encryption keys? How quickly will they notify you of a security incident? The answers reveal how seriously the vendor takes security. Vague responses or excessive delays in providing documentation are red flags.
Evaluate the vendor's patch management cadence. Cloud ERP vendors should be applying critical security patches within 48 to 72 hours of disclosure. Regular updates should happen monthly. Ask for their patch history over the last 12 months. If they cannot provide it, their security operations may not be mature enough to trust with your data.
Include security requirements in your contract. Data breach notification within 24 hours, annual penetration testing with shared results, the right to audit or receive audit reports, and clear data return and destruction procedures at contract termination. These are standard asks that reputable vendors will agree to without pushback. If a vendor resists contractual security commitments, consider it a serious warning sign.