ERP in the Cloud vs On-Premise: 4 Ways SMBs can Improve Security

Kimberly Berneck, President and CEO, BTM Global

If you’re a small or mid-sized business (SMB) thinking about moving to a cloud-based ERP, you’re not alone. With the increase in cybersecurity threats, the benefits of a cloud-based ERP are rapidly outpacing what an on-prem option can provide.

First, let’s make sure the definitions of cloud and on-prem ERPs are clear. Lisa Schwarz of NetSuite succinctly summarizes them this way:

On-premise ERP solutions are installed locally on your company’s hardware and servers and then managed by your IT staff while cloud ERP—also called SaaS, or Software-as-a-Service—is provided as a service. With this type of deployment, a company’s ERP software and its associated data are managed centrally (in the Internet “cloud”) by the ERP vendor and are accessed by customers using a web browser.

I’ve spent years in this industry, and security has always been a concern, but not the immediate threat that it is now to any business, anywhere, at any time. With more people working from home (47% of people fall for a phishing scam while working at home, according to this Deloitte article), bringing personal devices to work and accessing company data, plus typical human error, the security risks for SMBs are only growing.

A cloud-based ERP can mitigate many of those risks.

Outsource the resources
You may not have the IT resources that a big corporation has, not to mention a security architect who can find the latest threats and loop holes in your software. Security threats move so quickly that by the time you fix one, another pops up.


But a cloud-based ERP can lessen this risk. In a SaaS service model, the ERP vendor will manage the security of the ERP deployment from an infrastructure perspective, providing comprehensive security protection. The vendor will provide new releases to protect against threats and updates for patches; some are even done automatically. Instead of bogging down your team with ERP security worries, let your ERP provider take that on.

Keep access consistent and protected
Who should have data access, and what data should they be able to access in the ERP? Who is in charge of protecting access? What type of data needs more layers of access protection?

If you’re managing an on-prem ERP that’s integrated with other on-prem systems, access lines can look like a ball of Christmas lights: a big mess of interconnectedness that doesn’t seem to have a beginning or end.

Security access lines need to be properly drawn, and a cloud-based ERP vendor can ensure that. By relying on one cloud provider – rather than one for finances, one for CRM, one for warehousing, etc. – you can centralize control over systems and keep access lines firm. Many vendors use a security approach called “least privilege access” or “the principal of least privilege.” This gives a user the minimum level of access needed to perform their job. Nothing more, nothing less. It strengthens data protection by minimizing the opportunity for an employee’s bad behavior.


Once those lines are drawn, someone needs to monitor user activity and failed access attempts. That’s something SMBs can rarely do themselves. However, most cloud-based ERP vendors have rigid controls in place and will monitor those things for you, alerting you to potential breaches.

Manage growth and change
When your company quickly grows, merges, or acquires another organization, the ERP needs to adapt. A cloud-based ERP can scale much more quickly than on-prem, all while keeping security measures locked in place for business continuity.

For example, as a company adds users, locations or subsidiaries, it will at least need to add more servers for an on-premise ERP, along with IT resources to manage them. But with a cloud-based ERP, more functionality can be added when the business grows or changes. Users can be easily added, and even locations and subsidiaries are easy to bring online in a cloud-based system – no extra servers or IT resources needed.

Regulations are really complicated
If I haven’t convinced you yet that a cloud-based ERP is best for SMB security, then compliance and regulations should sway you.

Europe has the well-known GDPR regulations, which the U.S. doesn’t have. But small and mid-sized businesses in the U.S. still have to be GDPR compliant if they do business in Europe. Here in the States, different industries have different regulations (think HIPAA for healthcare or PCI for payments). Different states even have different regulations!


It boils down to this: If you’re doing business around the world or even around the country, you could spend a lot of time and money hiring an expert to protect you. Or, for a fraction of the cost, you can offload those worries to an expert ERP vendor team that knows your business, your systems and the relevant threats.

There are many advantages to a cloud-based ERP, but the acutely changing nature of cybersecurity makes them a particularly important part of any SMB’s IT infrastructure. Talk to your prospective ERP vendors, read their policies and ask about their security audits and risk management assessments. There are huge benefits to moving your data to the cloud and offloading the security management to the ERP provider.