According to a joint report from Turnkey Consulting and Onapsis Research, SAP customers are more concerned about insider threats than external attacks, which decry this as complacent.
Some 40.8% of over 100 SAP customers surveyed recently from the UK, the US, Europe, and Asia thought internal fraud was the biggest threat to their SAP applications estates. In comparison, only 14.3% believed an external attack was the biggest threat.
Turnkey Consulting, which specializes in the security and governance of SAP environments, and Onapsis, a firm of enterprise software security researchers that provides a secure platform and services, conducted the research in May 2021. All respondents were managerial level and above within a cybersecurity-related function, with more than 15 different industries represented.
The firms’ SAP security survey report 2021 also found that 26.5% said a data loss or breach was their most significant threat, and 12.2% opted for systems downtime. Tom Venables, practice director of application and cyber security at Turnkey Consulting, said: “A key trend, and continuous theme over the years, is the disconnect between the widely acknowledged challenges of SAP security and the broader understanding and management of IT risk in general, where tools and processes have evolved to respond to growing threats more comprehensively. Closing this gap is critical if organizations are to protect themselves against the growing exposure to external threats.”
The report concluded by lamenting the complacency it identified among SAP customers. “Recent Onapsis research has found that SAP-specific threat actors are active, capable, and widespread, and critical SAP vulnerabilities are being weaponized in as little as 72 hours of a patch being released,” it said. “The impact of this stretches far beyond the theft of valuable information or the disruption to business and reaches into compliance implications such as GDPR and SOX.”
In his commentary inside the report, Venables said: “External attack is a significant threat to SAP systems – and increasingly so – but only one respondent in seven feels that it is the biggest threat to their systems. More and more malicious actors have realized that SAP often contains precious data and intellectual property – the kind of information that, if lost or inaccessible, would cause major business disruption.”
According to the report, the connection of SAP systems to software-as-a-service applications such as SAP’s own SuccessFactors and Salesforce is another point of vulnerability. Venables added: “As more organizations move towards a cloud-first future, there has been strong take-up of connectivity between SAP systems and software-as-a-service applications. However, there are issues around where security responsibility lies when this connection is made, with many cloud providers affirming that it is the customer’s responsibility to maintain a strong security posture when using these applications within the cloud.”
In the statement accompanying the report, Turnkey and Onapsis said the average SAP customer will have about 2,500 vulnerabilities within their custom SAP code. Yet, 36.7% of survey respondents did not review this code for security and quality issues.
Almost half of the respondents are not applying configuration standards for audit logging. Password settings and Venables registered concern about this in the full report, saying: “As with other issues in this survey, the amount of time and resources required to apply these standards is considerable: config drift needs checking, and high volumes of log data need processing. This is, therefore, an area where automation can assist, along with tools for alerting, monitoring, and change management functions that can keep track of any changes being made.”
A similar number of respondents carry out reviews, but do so manually a slow and error-prone approach, said the report’s authors. Some 32.7% do not review code developed by third parties before it is imported into their SAP system, while 20.4% are unsure whether they do.
The report also noted that only 27% of respondents were not considering moving to S/4 Hana – the supplier’s flagship ERP system. This suggests that a significant majority of respondents to the survey demonstrate a disturbing “lack of realization that external attacks are of serious concern” in the context of a substantial shift from ECC6, said the report’s authors.
The research explored the notion that SAP systems are protected within the internal network and how this belief influences attitudes to external risks. 18.4% of respondents agreed: “SAP is within our network, and so is secured against cyber threats.”
Venables added: “The often misguided perception that SAP is secured against cyber-attacks because it sits within an organization’s internal network is gradually being shattered. A slight majority of respondents disagreed with the view; less than one in five still felt it was fully secured by being inside the network. However, It may well be that those who feel it is fully secured in this situation have the right tools and monitoring to cover SAP or that the level of their internet-facing activity is relatively limited.”
Only 28.6% confirmed they had an SAP vulnerability management program in place. The exact number ensured their security operations centers (SOCs) had visibility into SAP security events. However, 36.7% admitted they were not always up to date and updated with the latest patches.
The report’s authors said all this shows a disconnect between SAP security and more expansive IT security environments. André Ros, director of EMEA alliances and channels at Onapsis, added: “Organisations are making progress in how they protect their SAP systems, but as recent events in the news demonstrate, it’s still not enough. Traditional defense-in-depth strategies often fall short of covering the business-critical SAP application layer.
“Onapsis Research has demonstrated that threat actors can exploit unprotected, unpatched business-critical systems in less than 72 hours after releasing an SAP security note. Better protecting this SAP application layer from vulnerabilities with the right technology, timely threat intelligence, impactful services, and improved internal processes will be paramount to success.”
