Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
Bedrock Managed Service
Scalable support and on-demand expertise that seamlessly integrates with your existing operations.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Partners
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Careers
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Blogs
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
19 May 2023

SAP: The Increasing Cyber Security Threat

The cyber threat to IT systems in on the increase and this time it is not bored teenagers that we need to worry about. In this blog I ask, is it time to refocus some of our efforts towards the external threats to our SAP systems?

I recently watched a BBC documentary called “Horizon: Defeating the Hackers”. For anyone who didn’t see it I would thoroughly recommend it. Irrespective of your involvement or interest in the IT security industry it is an interesting programme.

The programme attempts to explain to the mainstream viewer some of the most complex IT security events of the past 5 years. This included Stuxnet, widely believed to be a US cyber attack on Iranian nuclear facilities. Understanding and explaining Stuxnet is something that I have attempted myself on several occasions so I take my hat off to the BBC for pulling it off so effectively!

If you haven’t already seen it here’s a clip - https://www.youtube.com/watch?v=UCy2KyBC9sk

Whilst an interesting story in itself, the importance of Stuxnet to me is that it represents a shift change in the threats that our customers’ SAP systems face from external sources and consequently the vulnerabilities that our clients need to manage. Stuxnet had a very clear purpose once it breached the IT security perimeter. It’s objective was to cause maximum disruption to the IT systems that would hurt it’s target organisation most. In the case of Stuxnet this was the systems controlling centrifuges within an Iranian nuclear facility. However, with many large corporations placing an increasing reliance on their IT systems SAP could be the more likely target for a lot of big corporate brands.

The other significance of Stuxnet is that it was a state sponsored attack. Last month the Ministry of Defence announced that it was to create a new ‘Cyber Defence Force’ - http://www.bbc.co.uk/news/uk-24321717. In a written statement in December last year, Cabinet Office Minister Francis Maude said 93% of large corporations and 76% of small businesses had reported a cyber breach in 2012. We are not talking about spotty teenagers looking to get a kick out of their next cyber conquest. These are highly organised teams from both the government and private sector looking to gain competitive advantage at an industry and national level.

Having allocated significant time and resources to segregation of duties and other internal controls for some years now we are seeing a new trend in our more risk aware customers. Those organisations who are more susceptible or aware of their vulnerability to cyber attacks are increasingly asking us to refocus our efforts towards the external threats to their SAP systems. Perhaps this is something that all SAP users should be taking more seriously?