Security in Business Central and Microsoft 365
As ERP manager you may not have IT security as your primary area of responsibility, but your Business Central contains the company’s most sensitive and business-critical data. You must address security, even if you have an IT department that handles the technical side. This chapter walks through the basic security topics you need to have a grip on.
11 security areas you need to know
As ERP manager you must address 11 fundamental security areas:
- Multi-factor authentication (MFA)
- Passwords
- Phishing and social engineering
- Microsoft’s Security Defaults
- Backup
- Incident response plan
- Windows updates
- Mobile devices
- Remote work and VPN
- Antivirus
- Privileged Identity Management
1. Multi-factor authentication (MFA)
Multi-factor authentication is one of the most effective security measures you can have. The principle is simple. When you sign in, you confirm your identity with more than just a password. Typically by approving on your phone.
MFA is rapidly evolving. Not long ago you received an SMS with a one-time code. Then we got the Microsoft Authenticator app, where you approve a sign-in. Better methods are arriving continuously.
2. Passwords are becoming less important
Passwords are becoming secondary. Microsoft’s own recommendations are now:
- passwords do not need to expire
- they must be at least 14 characters long
- you shouldn’t spend more energy on this than that
Why complex password rules are counterproductive
The harder we make it for ourselves, the easier we make it for the attackers. If you must change your password every month and it must be complex, you end up choosing something you can remember and just changing the last character each month.
Computers have become so fast at guessing passwords with brute force that the only real defense is to limit the number of sign-in attempts and supplement with multi-factor authentication. When you may only try to sign in ten times before the account is locked, a computer can’t sit firing thousands of guesses per second.
How to choose a password
If you still use passwords, choose something unique to you. Make up a sentence in your head and use, for example, the first three letters of each word. Base it on something meaningful to you, but not a name or a word that can be looked up.
Minimize the number of passwords
The best thing you can do is to minimize the number of places where you have a password at all. Use your Microsoft account or Google account to sign in to other services, so you have only one place where you need to maintain security. Then you can make that one place really secure.
Password managers
Many people use password managers to generate and store strong passwords. That can work well if it is done properly. Use a professional password manager with a strong master code and two-factor authentication. Never store passwords in a Word or Excel document, even if you password-protect the file.
Never reuse passwords
Hackers rarely go after your local files. They hack databases at the services you are signed up with. When a shopping site is compromised, the attackers get access to thousands of email addresses and hashed passwords. They then try the same combination on every other service. That is why it is critical that you don’t reuse passwords.
3. People are the biggest security risk
Employees remain the biggest security risk. The volume of cyberattacks is alarming and rising.
Phishing is still the classic threat
The classic threat is phishing. An email that looks credible but lures you into clicking a link or giving up your sign-in credentials. It has existed for many years, and most people know about it. The attacks are becoming more sophisticated.
AI makes voice fraud a real threat
With AI you can clone a voice and call as someone else. An attacker can pose as your CEO and ask you to transfer money or hand over access credentials. It can be hard to tell the difference, especially if you don’t know the person well.
The counter is clear procedures
The counter is clear procedures:
- agree that your CEO will never send an SMS asking to transfer money
- an email that just says “pay this” will never be genuine
- payments and access changes must always go through the proper channels
- critical actions should be confirmed face-to-face or with an agreed security word
As ERP manager you should ensure that all employees who can perform financial transactions in Business Central have set procedures for verification. The same applies to employees with responsibility for security-related changes.
4. Microsoft’s Security Defaults
Microsoft continuously expands their security package. At minimum you should have Microsoft’s Security Defaults turned on. It is a collection of basic security settings that Microsoft maintains and updates.
Security Defaults isn’t the most advanced security level, but it ensures that your baseline keeps up with the times. New security requirements are gradually added, and after a period Microsoft makes them the standard. Your security moves along without you needing deep insight into what is changing.
For any company using Microsoft 365 and Business Central, Security Defaults should at minimum be enabled.
5. Backup procedures you can rely on
Backup is still an area where many companies stumble, not because they lack a backup, but because they don’t regularly verify that it works.
Make sure everything is backed up
| Data type | What Microsoft provides |
|---|---|
| Business Central | 28 days of backup. You can start a restore yourself from the admin center. |
| Emails | Limited retention via Microsoft 365 |
| OneDrive and SharePoint | Version history and recycle bin |
Why you need third-party backup
Your files in OneDrive and SharePoint are vulnerable. If your computer is hit by ransomware that encrypts all files, the encrypted files are automatically synchronized up to OneDrive.
You should have a third-party backup. An independent copy of your data that isn’t connected to the systems that can potentially be compromised. It isn’t enough to have files on the computer and in OneDrive. Both can be hit at the same time.
Verify that the backup is running
The most important point: regularly verify that your backup actually runs. There are companies that don’t discover their backup hasn’t run for 14 days until the day they need it.
Most backup solutions can verify that the backup file is created correctly, scan for errors, and send a notification if there is something to follow up on.
Also test the restore process
Periodically verify that a backup can actually be restored. Fewer companies do that than you might think. It is a very good idea.
6. Incident response plan for an attack
What do you do when things go wrong? Most small and medium-sized companies haven’t answered that question in advance.
The difference between large and small companies
Large companies have incident response plans with detailed procedures for who does what and in what sequence. They have rehearsed the scenarios and have templates ready for informing customers and authorities. When a security incident occurs, they start a point plan.
Most small and medium-sized companies don’t have a plan. When it happens, things move fast, and you end up making important decisions under pressure that you would rather have made calmly.
There must be internal and external communication. There must be investigation of what happened. The first 24 hours often go by just figuring out what happened at all. Time is running.
Minimum incident response you should have
If you don’t get a full incident response plan made, you should at minimum have a plan for this:
Stop the incident. The first thing you must do is stop what is in motion. That may mean disabling compromised accounts or shutting down access to certain systems.
Have someone you can call. Make sure you have a security advisor or IT partner you can contact immediately. Someone who can help you keep a cool head and lay out a plan for the next 30 minutes.
Know your notification obligations. Under privacy regulations like GDPR you must notify the data protection authority within 72 hours and the affected individuals without undue delay. Have a list of who to contact and what to communicate.
It is better to have a simple plan than no plan. Set aside three hours to think through the most likely scenarios: what do you do at a ransomware attack, what do you do if an email account is compromised, what do you do at a data leak. You don’t need to cover everything, but you need to have thought through the most obvious situations before they arise.
7. Windows updates as mandatory hygiene
Windows updates must just run. It is basic security hygiene and should be a fixed part of practice for all employees.
Microsoft regularly releases security updates, and they should be installed as soon as they are available. This should be centrally managed with Microsoft Intune, which is included in most Microsoft 365 license packages. With Intune you can ensure that all the company’s devices receive the updates without depending on the individual employee remembering to click “update now”.
8. Mobile devices: three approaches to management
The phone has become the center of our digital lives and an important part of access to the company’s systems. It is used for multi-factor authentication, for Teams calls, for reading emails, and for approving payments. This raises the question of who manages the phone.
The three models
| Model | Description | Risk and control |
|---|---|---|
| Company phone with full management | The company owns and fully controls the device | Most control, most invasive for the employee |
| Personal phone without management | The employee uses their own phone for everything | Highest risk |
| Personal phone with app management | The company manages only the company apps via Intune | Balance between control and privacy |
How app management works with Intune
With Intune you can separate company data from personal data on the same device. The employee keeps full control over their personal apps, photos, and accounts. The company’s apps (email, files, Teams) are downloaded through a company portal and live in a protected layer.
The consequences of the setup are:
- data cannot be copied out of company apps
- you cannot take screenshots of the Outlook app
- if the phone is stolen, the company can remotely wipe company data without touching the employee’s personal content
- when an employee leaves, company apps are deleted centrally and all company data disappears while personal data remains intact
It is a solution that respects the employee’s privacy while protecting the company’s data. It requires a certain setup, but with Intune it is manageable.
9. Remote work and VPN
When employees work from home, from an airport, a conference, or a café, they use an internet connection that the company doesn’t control.
The risk with uncontrolled networks
The risk is concrete:
- a home router can be outdated and without security updates
- in an airport someone may have set up a fake WiFi network with the same name as the airport’s official one
- everything you send and receive over a fake network passes through the attacker’s computer
VPN as an encrypted tunnel
The solution is VPN, an encrypted tunnel between the employee’s device and the company’s network. With a VPN everything is encrypted regardless of which network the employee is on.
VPN has existed for a long time, but there was a period where many companies moved away from it because it was cumbersome for users. That is changing because the threat landscape is sharper and because the alternative (the company having to secure the employee’s private internet connection) is impractical and intrusive.
It is easier to encrypt the traffic with a VPN than to manage which router an employee has at home. If your company has employees who work outside the office, you should have a VPN solution in place, and the employees should know they must use it.
10. Antivirus: Microsoft Defender does the job
Antivirus is so fundamental today that it barely deserves its own section. Microsoft Defender is built into Windows and runs automatically. It scans files, updates daily, and you don’t need to install anything extra.
20 years ago antivirus programs were a big deal. Today the functionality is part of the operating system. Make sure Defender is turned on and updated, and spend your energy on the other security areas that demand more of you.
11. Privileged Identity Management
A principle that is gaining ground is Privileged Identity Management. The idea is simple. Your administrative permissions are there, but they aren’t active.
How Privileged Identity Management works
In the old days an IT administrator typically had two users: one for daily work and one with administrator permissions. With Privileged Identity Management you have only one user. Your administrative permissions sit on your profile but are switched off. When you need to perform an administrative task, for example changing an environment in the admin center, you grant yourself temporary access, for example for two hours. When the task is complete or the time expires, the permissions are deactivated automatically.
The security effect
If your account is compromised, the attacker only has access to what an ordinary user can do. The administrative permissions are not active and cannot be misused.
Prerequisites and adoption
Privileged Identity Management requires an additional license from Microsoft and is therefore mostly used by medium-sized and large companies.
Three questions you should ask as ERP manager
Whether or not you implement Privileged Identity Management formally, ask yourself three questions:
- how many people have administrative permissions to your environment
- are the permissions active at all times
- how do vendors get access to the environment, and is that access active at all times
Demand the same of your partner
Your ERP partner typically has access to your environment to be able to support you. That access should not be active at all times. Ask your partner to use Privileged Identity Management or an equivalent mechanism, so that their access is only active when they are actually working on your environment. It isn’t about distrust. It is about reducing the attack surface.