While fraud remains the largest recurring concern for organisations, data breaches also pose a significant risk and should be addressed as such. Just recently, 533 million people had their information compromised as part of a Facebook data breach (nearly 7% of the entire planet). While leaked phone numbers and personal data might not seem all that important, cyber criminals have a variety of ways that they can use your data against you, such as threatening to release your information to the public unless you pay them a ransom (there’s no guarantees they won’t ask for more), or using your data for social engineering e.g. to impersonate your vendors, and attempt to change their bank account details. The list of risks goes on, so how do you defend yourself?
The first step is to make sure you are using the tools you already have at hand.
The first major tool you have is control over your users. If someone leaves the organisation, disable their Sage 300 account immediately. Easy.
The second major tool you have control over are your users’ passwords. Passwords are the gateway to your Financial System, and they should be treated with care. Being bombarded with new passwords year after year, it’s very easy to get complacent. And once someone has your password, its game over – for you, and your organisation.
Sage 300 users can be allowed to either log in automatically, provided they are already logged in to their computer with their Windows password (this is called Windows Authentication), or log in with a specific Sage 300 username and password (this is called Sage 300 Authentication).
Sage 300 Authentication:
Regardless of how your users log in, you want to make sure that their passwords meet the following requirements:
- Your passwords should have a minimum length restriction:
- BES recommend your passwords are at least 12 characters long. The longer the password, the harder to crack – we provide advice on password length, and memorability here.
- Your passwords should be forced to change over time:
- BES recommend changing passwords at least once a year.
- If an attacker tries to guess your password, they should be locked out.
- BES recommends locking a user out for 5 minutes after 3 failed login attempts. This caters to genuine users accidentally mistyping their passwords, while stopping attackers trying to guess your password in their tracks.
If your users use Windows Authentication, then your IT Provider needs to implement these requirements.
If your users use Sage 300 Authentication, or your users access Sage 300 from the web, BES recommends you implement these requirements yourself. Simply run the Sage 300 Database Setup program, click the Security button, then enter as follows:
The third major tool you have control over are your users’ permissions. Permissions (Security Groups and User Authorisations in Sage 300 speak) allow you to define exactly what each user can and cannot do in your Financial System. BES recommends the principle of least privilege, which is a fancy way of saying, “only give people access to what they need, and nothing more.” You apply this principle by auditing your users’ permissions to make sure they only have the permissions that they actually need. One of the most important permissions you should definitely audit is who can create and change user permissions. Also, as people change roles over time, make sure you remove any permissions that they no longer need.
Hopefully this gives you some insight as to how you can actively protect your Financial System. If you require further information, we’re happy to show you how to configure or audit your Financial System. We think this is a better approach than asking us to create your users and permissions, as it’s an easy way for your organisation to take control of its own security (and save some money in the process!).