< Blog

#AtoZ – Cybersecurity : a strategic priority at the heart of your ERP system

17.07.26
Blog

#AtoZ – Cybersecurity : Protecting your ERP means protecting your business

For a long time, cybersecurity was considered primarily a technical issue, dealt with by IT teams. Today, however, this view has changed significantly.

Cybersecurity has become a strategic business challenge that concerns the entire organisation: executive leadership, business departments, IT teams, partners and suppliers alike.

The reason is simple: information systems now sit at the heart of business value creation. When they become unavailable, the entire organisation can be affected.

As organisations accelerate their digital transformation, their IT environments are becoming increasingly interconnected and therefore more exposed to cyber threats. ERP systems, the operational backbone of the business, have become critical assets that must be protected.

ERP: A strategic asset and a prime target

An ERP system does far more than automate business processes. It centralises some of the organisation’s most sensitive information, including:

  • Financial data
  • Customer and supplier information
  • Production data
  • Inventory and logistics
  • Procurement and purchasing
  • Human resources

A successful cyberattack against an ERP environment can have significant consequences, including:

  • Production downtime
  • Disruption to business operations
  • Loss or corruption of critical business data
  • Business continuity issues
  • Regulatory and financial impacts
  • Damage to customer and partner confidence

Cybersecurity is therefore no longer solely about preventing attacks. It is about ensuring system availability, protecting data integrity, and enabling the business to continue operating when incidents occur.

The question is no longer simply 'How do we protect ourselves?’, but rather ’How do we anticipate, detect and respond effectively?’

Cybersecurity has become a key pillar of operational resilience.

From a reactive approach to a proactive cybersecurity strategy:

Cyberattacks rarely exploit a single technical weakness. More often, they take advantage of a combination of vulnerabilities: weak governance, excessive user privileges, insufficient monitoring, outdated systems, complex architectures, or a lack of employee awareness.

An effective cybersecurity strategy relies on a holistic approach, combining:

  • Cyber risk governance
  • Identity and access management
  • Network and environment segmentation
  • Monitoring and threat detection
  • Backup and disaster recovery planning
  • Regulatory compliance
  • Continuous improvement

Cybersecurity is no longer a one-off project. It is an ongoing process that must be embedded within the organisation’s overall strategy.

Sage X3: An ERP platform that supports a secure digital strategy

At Deveho, we help organisations deploy, enhance, and optimise Sage X3, an ERP solution designed to meet the needs of manufacturing, distribution, and service organisations.

Sage X3 provides a range of features that contribute to strengthening the security of ERP environments, including:

  • Role-based access management
  • User access controls
  • Full transaction traceability
  • Audit logging
  • Secure integration with third-party applications
  • Administration best practices

However, as with any critical information system, security is not determined by the software alone.

It also depends on the overall architecture, configuration, hosting environment, maintenance, access governance, software updates, and user awareness.

Cybersecurity must therefore be considered from the very beginning of every ERP project, through a Security by Design approach, where security is built into the solution rather than added afterwards.

This need for a more comprehensive cybersecurity strategy is further reinforced by the evolving European regulatory landscape.

NIS2: Strengthening organisational cyber resilience

The European NIS2 Directive represents a significant milestone in the evolution of cybersecurity across Europe.

Against a backdrop of increasingly sophisticated cyber threats, the Directive reflects a fundamental shift in thinking: cybersecurity is no longer viewed purely as an IT responsibility, but as a strategic issue encompassing governance, risk management, and business continuity.

As cyberattacks become more frequent and more disruptive, organisations are expected to demonstrate their ability to anticipate threats, protect critical assets, detect incidents rapidly, and maintain business operations during periods of disruption.

From system protection to cyber risk management

One of NIS2’s key objectives is to extend responsibility for cybersecurity beyond IT departments alone.

The Directive promotes a risk-based approach, with stronger accountability at executive level. Organisations are expected to establish robust cyber governance frameworks, capable of identifying threats, assessing potential impacts, and implementing appropriate security measures.

Key requirements include:

  • Cyber risk governance;
  • Identification and protection of critical systems;
  • Identity and access management;
  • Vulnerability and incident management;
  • Business continuity and disaster recovery capabilities;
  • Employee awareness and training;
  • Supply chain and third-party risk management;

This final point is particularly significant. An organisation’s cybersecurity posture depends not only on its own infrastructure, but also on the security of its wider digital ecosystem. Service providers, software vendors, hosting partners, and external suppliers with access to information systems all represent potential sources of risk.

A direct impact on critical information systems

For organisations using ERP systems, such as Sage X3, the challenges posed by NIS2 are particularly significant.

ERP systems are now critical systems at the heart of business operations. They hold essential data and support processes that are vital to the running of the organisation:

  • Finance;
  • Production;
  • Procurement;
  • Inventory;
  • Logistics;
  • Supplier management.

In this context, the requirements introduced by NIS2 are prompting organisations to strengthen their approach across several areas:

  • Who has access to sensitive data?
  • Are access rights regularly reviewed and aligned with each individual’s responsibilities?
  • Are critical environments properly secured?
  • Are backups and recovery procedures tested regularly?
  • Is access granted to external partners properly controlled?
  • Is the company able to ensure business continuity in the event of a cyber incident?

The Directive thus reinforces a key principle: the security of an ERP system does not rest solely on the solution itself, but on its entire lifecycle, from design through to day-to-day operation.

An opportunity to enhance organisations’ cyber maturity

Beyond regulatory obligations, NIS2 represents an opportunity for businesses to structure their cybersecurity approach and strengthen their resilience in the long term.

The aim is no longer simply to prevent an incident, but to be able to limit its consequences and quickly return to normal operations.

This shift requires a change in mindset: moving from a predominantly reactive approach to a proactive strategy, integrating cybersecurity into the organisation’s key decision-making processes.

In particular, this requires better identification of critical assets, improved access governance, strengthened prevention and detection measures, and the development of a genuine cybersecurity culture amongst all staff.

Discussions organised with EY as part of the Devho Tour 2026 have shed valuable light on these transformations: a European context that remains diverse, varying levels of cyber maturity across organisations, and a growing need for businesses to anticipate new regulatory requirements.

The message is clear: cybersecurity must no longer be viewed simply as a compliance obligation, but as a driver of trust, performance, and resilience.

 

Deveho’s support: embedding cybersecurity at the heart of ERP projects

At Deveho, we firmly believe that a successful ERP project is not measured solely by the solution’s functional performance.

It must also guarantee the security, availability and long-term resilience of the information system.

Our role is to help organisations combine ERP performance, cybersecurity and regulatory compliance within a single, coherent strategy. We believe these objectives should never be treated separately, but as complementary drivers of long-term business resilience.

To achieve this, we support our clients throughout their Sage X3 digital transformation projects by integrating cybersecurity considerations from the earliest stages.

This approach is based in particular on:

  • securing architectures and environments;
  • governing access rights and permissions;
  • applying best practices in administration;
  • taking business continuity issues into account;
  • providing support in the face of regulatory changes.

A high-performing ERP system is also a secure one, capable of supporting business operations over the long term while withstanding today’s cyber threats.

By combining our Sage X3 expertise, our understanding of business challenges and continuous monitoring of cybersecurity and regulatory developments, we help our clients build information systems that are more robust, more resilient and better prepared for tomorrow’s challenges.

Today, cybersecurity is no longer just about protection. It has become a key driver of trust, business continuity and long-term competitiveness.

Would you like to discuss the cybersecurity challenges facing your Sage X3 environment? Contact us