Why Are We Talking About NetSuite Security?
If you read through the latest tech trend articles of 2020, as I did, you’ll notice nearly all of them mention cyber-security and data privacy as growing threats. The double-edged sword of technological innovation has never seemed so apparent as many of the technologies that showed promise a few years ago are now turned against us.
Here is what I’m talking about:
- AI and machine learning-based attacks are a thing and on the rise.
- Ransomware attacks have increased dramatically in recent years.
- Cryptocurrencies provide a way for ransomware attackers to extort their victims from around the world and remain anonymous.
With these new attacks being aimed at smaller business and entities more than ever now, it feels like a good time to do a security check and make sure us NetSuite users are doing all we can to keep our data secure. So, I put together a list of things NetSuite users can do to make sure they’re doing their part to stay safe in the AI-enhanced cyber-security age.
Don’t Be the Weakest Link
NetSuite does quite a bit to make sure their database isn’t breached by some outside threat. Their security system qualifies for five different third-party security certifications, including SOC I and SOC II, they guard their data centers with surveillance equipment, real-people, and alarm activated entrances. They run multiple, continuous intrusion detections systems to make sure malicious traffic isn’t accessing their systems data. And they do a lot more.
If your data is going to be compromised in 2020, it’s not likely because a NetSuite data center is hacked, and if it was, there is nothing users could do about it anyway. What’s way more reasonable and something users can take steps to prevent, is getting phished or accidentally installing malware. These infiltrations happen on an individual basis because someone wasn’t vigilant about cyber-security. Follow the steps below to avoid being an easy target because it only takes one employee’s mistake to leave the entire company vulnerable.
8 Steps to Keep Your NetSuite Data Safe
Avoid Public Wifi – Do you know what a pineapple is? No, not the lovable fruit that is both tasty and nutritious. I’m talking about the device that can pose as a wifi network, connect to your device, and stream all of your online interactions to an unknown hacker in the vicinity. This device can even see login information and pose as your device long after you disconnect and leave the area. These devices are legal to purchase and are available to everyone for around $100. I’ll let you imagine the damage someone can do with this kind of equipment, but you’ll want to think twice about what you do on public wifi or even using it at all.
Enforce IP Restrictions – NetSuite administrators can control which IP addresses can login to a NetSuite environment. This restriction can prevent people who stole information from logging in even though they have your credentials.
To do this, first, go to Setup> Company > Enable Features. Under the “Access” section you’ll see a check-box to enable “IP Address Rules.”
After this is checked, go to Setup > Company > Company Information. Under “Time Zone,” you’ll find a box “Allowed IP Addresses.” Type in the addresses you know are safe.
You can even do this on an individual employee level if your company employs people remotely or you have employees that sometimes work from home.
Use Strict Password Settings – Make sure you are up to date with the latest best practices in password policies. As an administrator, you’re responsible for the minimum number of characters for a password, minimum complexity it needs to have, and how often passwords reset. As a user, you’re responsible for coming up with a password that meets more than just the minimum requirements set by the admin.
To quickly catch you up on some of the more important password policy developments in recent years, here is a list of the major ones.
- Password length is now more important than complexity. Passwords like “X_wedSt9#hd” are hard for humans to remember but easy for computers to guess.
- Don’t force passwords to expire arbitrability with time. This can cause more harm than good as users will continually forget their password and are forced to rely on the admin or security questions to reset them. Once you have a good password stick with it.
- Complexity still matters, but don’t overdo it to the point you forget your password. This defeats the point.
- An ideal password is long, easy to remember, and is somewhat complicated. It might be helpful to use saying or a catch phrase that is easy for you to remember. For example, Buzz Lightyear’s catchphrase from Toy Story, “To infinity @nd Bey0nd” spaces included.
For a more in-depth guide on good password policies, check out this article Here.
Use Two-Factor Authentication – Two-factor authentication is a great fail-safe in the event your password and/or security information is stolen. The idea behind two-factor authentication is that even if you do get hacked, the attacker must hack an entirely different entity, like your phone or a third-party 2FA service, to gain access to your critical data.
NetSuite, by default, will place 2FA controls on any account that it deems “Highly Privileged.” These roles are usually administrator roles or roles that can do a lot of harm if they end up in the wrong hands.
However, you can also take steps to increase the number of roles that require 2FA. You can do this by going to Setup>Users/Roles>Two Factor Authentication Settings.
Here you can add 2FA to any role you feel has access to sensitive data and deserves an extra layer of protection.
For a more in-depth guide on how to set up 2FA for NetSuite, click HERE.
Smart Security Question Answers – Security questions are often overlooked because they have less requirements than passwords and are often hastily set up as an after-thought. This lack of diligence is exactly what hackers hope for when probing for weaknesses.
Answers to security questions should be thought of as a secondary password and have the same level of scrutiny applied to it as your first password. For a complete guide to smart answers to security questions, check out this Link. But here a couple of quick tips to get you started.
- Do not answer the question genuinely. If the security question asks for “Mother’s Maiden Name,” do not use your mother’s maiden name. That type of answer is easy to look up and your security question can be hacked by anyone with a facebook account.
- Stick to the same complexity as your password. Use length, spaces, and non-letter characters to make your security answer hard for both computers and humans to guess.
Sign in From the Same Link – Use the same method of logging in from NetSuite each time. Whether that’s a book-marked log in page or going to NetSuite.com and clicking “Log In” on the top right of the screen.
Do not log in from links on webpages that aren’t from NetSuite or from emails in your inbox.
It’s really easy for a hacker to duplicate the front-page of NetSuite and then send traffic to this page in the hopes that someone isn’t paying attention and unknowingly gives up their login info.
If you ever are unsure if a page is sending you to the right place to login, you can check to the URL to verify.
This is the correct URL for NetSuite login. You can also check to make sure the “Lock” symbol is displayed next to the URL, to verify that the website is secure.
Secure Integrations – One of the attributes that make NetSuite so attractive is its ability to integrate with many types of applications. However, not all applications are as secure as the NetSuite platform. A connection to an insecure application could be a vulnerability for your NetSuite data.
When integrating with an insecure application, not only is the data integrated at risk, but so too is all the data the role using the integration has access to.
So to make sure your integrations aren’t a liability, here are some tips.
- Look at the security protocols of the application you wish to integrate to NetSuite, avoid applications that have limited security procedures, if possible.
- Have an admin limit the access of the role that is performing the integration to only the necessary data.
- Have the developers leverage “saved searches” to provide the necessary information for the integration, to further limit how much data is risked.
Do Not Download Attachments or Click Links from Unknown Sources – The quickest way to get a malware infection is to download attachments from an email address you are unfamiliar with. In 2020, with the help of AI, it’s getting harder to tell who’s legitimate and who’s an attacker. To be on the safe side, do not download attachments or click links from senders who are emailing you out of the blue, and you cannot verify.
I hope this guide provides some useful tips for you in the advanced age of cyber-crime. The first step towards staying secure is understanding that you have to always stay up-to-date with the latest security trends.
If you think I left out any critical tip or care to explain something I touched on a little further, please leave a comment below to help keep the NetSuite community as informed as possible!
Jeremy McCourt is an content producer in the enterprise software industry that focuses on NetSuite and related cloud-based software solutions.
Preparing for an upcoming NetSuite ERP Implementation? You have come to the right place! And you are right to do some research before getting started; ERP implementations are notoriously tough to get right. Here are…
- Feb 16
- 11 mins read
Contact us! NetSuite Integration Partners: 3 Things to Look for! Searching for a NetSuite integration partner to help with a NetSuite project? No, this guide may not be able to help fix your problem. However,…
- Jan 12
- 4 mins read