Key Insights Blog

Read the latest insights from our experts on GRC and risk management

26 March 2020

69% of SAP users believe SAP projects do not prioritise IT security

Organisations are not fully equipped to manage risk, but have a growing appetite for ‘security by design’ finds Turnkey Consulting.

More than two thirds (68.8%) of SAP users believe their organisations put insufficient focus on IT security during previous SAP implementations, while 53.4% indicated that it is ‘very common’ for SAP security flaws to be uncovered during the audit process.  These are key findings of the SAP Security Research Report by risk management consultancy, Turnkey Consulting.

The research also uncovered that most respondents were not fully equipped to manage risk.  A fifth (20.8%) felt most businesses did not have the skills and tools to effectively secure their SAP applications and environment, with 64.3% saying they only had some skills and tools.

Looking at specific concerns, nine out of ten (93.2%) people thought it was likely that an SAP audit would flag Access Management issues.  Privileged or emergency Access was also a major concern with 86.4% believing it was common or very common to have audit findings specifically related to it.

However, the research also showed a growing awareness of the security challenges faced by today’s enterprise, with the adoption of ‘security by design’ regarded as a solution. 74.0% expect IT security to take greater priority in future SAP deployments, with 89.6% agreeing that security specialists should be brought on board to support their SAP S/4 HANA transformation programmes.

Richard Hunt, managing director at Turnkey Consulting, said:  “The findings of this survey mirror our day-to-day experiences; SAP security is often an afterthought on SAP deployments, with the result that not enough time and resource is allocated to the essential security activities that need to take place throughout the project.”

“However it is encouraging to see that boardroom awareness is growing as the general business environment becomes increasingly focused on compliance, data protection and cyber security. This understanding will drive organisations to take the critical step of designing security into implementations from day one.”

Turnkey undertook its inaugural SAP research to determine organisations’ preparedness as the SAP landscape undergoes a time of transition and the deadline to adopt SAP S/4 HANA approaches.  The SAP ERP offers extensive user benefits in terms of increased interconnectivity and mobility, but risks leaving SAP applications and infrastructure open to exploitation.

Hunt concludes:  “Rolling out SAP S/4 HANA requires significant investment and organisational commitment.  This reinforces why building in security from the start is vital if remediation, which is costly from both a financial perspective as well as in terms of business disruption, is to be avoided further down the line.”

Turnkey’s SAP Security Research Report is available to download here.