SAP is the enterprise resource planning system of choice for the vast majority of companies. Businesses choose it for everything from supply chain management to human resources to finance and beyond. It handles processes, stores data, and acts as the nerve center for complex and large enterprises.

However, SAP is also uniquely vulnerable. And between its mission-critical role and its vulnerability, SAP is a prime target for cyberattackers.

What’s the Risk?

ERP cybersecurity breaches can completely devastate a company. The loss of sensitive data, fraud, lawsuits, recovery expenses, and the PR nightmare that accompanies it all can easily climb into the millions of dollars to repair. According to the 2017 ERP Cybersecurity Survey, the average cost of a security breach in SAP is estimated at $5 million, with a third of the respondents estimating damage at more than $10 million.

And that’s if they even recover at all.

In 2013, USIS — a federal contractor providing background checks for Department of Homeland Security — had their SAP system infiltrated by cyberattackers. The security of over 25,000 government workers was compromised, and USIS lost over $2.8 billion in contracts. They never recovered, and filed for bankruptcy in 2015.

To understand how this happened, we have to understand all the ways in which SAP is vulnerable.

Pinpointing the Vulnerabilities

In 2017, over 270 SAP security vulnerabilities were identified, with cross-site scripting (XSS) being the most common identified vulnerability type, and Customer Relationship Management (CRM) being one of the more vulnerable modules.

It’s not unusual for large and complex systems like SAP to have vulnerabilities. What is unusual is that these vulnerabilities are going largely unaddressed by most companies.

In February of 2016, the Ponemon Institute released a study, Uncovering the Risks of SAP Cyber Breaches. In July of 2017, we conducted our own study, Cyberattacks and CVs: Can SAP E-Recruiting Expose Your Company to Risk?

The Ponemon study highlighted a major vulnerability that surprisingly, has little to do with the platform itself. As it turns out, many companies simply are not clear about who should be responsible for SAP cybersecurity.

SAP teams are often responsible for segregation of duties, roles and permissions, and transports, and they assume that the IT team has the SAP cybersecurity covered. In the meantime, the IT team is focused on network security, and thinks that the SAP team has SAP cybersecurity on their radar. Twenty-five percent of the Ponemon study respondents say no one function is most accountable for SAP cybersecurity.

In addition to not knowing who should be guarding the house, the house itself has faulty locks and latches. Slipping malware and other malicious code into SAP is surprisingly easy. In our own study, we were able to upload a test malware into 52 percent of the tested systems.

A Blind Spot for Anti-Virus

None of these issues would be as dire if companies could protect SAP using their anti-virus programs.

Unfortunately, that’s impossible.

SAP data storage operates very differently from standard file-systems. Uploads to SAP applications are usually transferred through SSL-encrypted connections and stored in SAP’s own database instead of in standard disk volumes. Whether it’s at the point of transmission, storage, or execution, at no point does the anti-virus program get to see what’s there. And if it can’t see the files, it can’t scan them.

So as far as SAP is concerned, standard anti-virus programs are essentially blind.

Keeping Your SAP System Safe

The biggest thing that companies can do is to stay abreast of all SAP cybersecurity news. Months or more can pass between when a vulnerability is identified and the patch is released. Installing the patch right away helps to narrow the window of vulnerability.

Additionally, it is vital for companies to clearly define roles when it comes to SAP cybersecurity. Considering what’s at stake, it is exceedingly dangerous to assume anything about who is responsible for keeping this system safe. Clarifying processes and roles and making certain that there is an identifiable tier of ownership for your company’s SAP cybersecurity can play a large part in preventing it from slipping through the cracks.

Protecting SAP from cyberattacks is a task that needs to be taken seriously by everybody in the organization, and requires clear and forward-thinking leadership. When businesses open their eyes to the risks and their minds to the possible solutions, they stand a much better chance of weathering any attempted security breaches.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access

Joerg Schneider-Simon

Joerg Schneider-Simon

Joerg Schneider-Simon is chief technology officer and co-founder at bowbridge Software, which offers SAP cybersecurity solutions for organizations worldwide.