Key Insights Blog

Read the latest insights from our experts on GRC and risk management

24 October 2013

SAP: The Increasing Cyber Security Threat

The cyber threat to IT systems in on the increase and this time it is not bored teenagers that we need to worry about. In this blog I ask, is it time to refocus some of our efforts towards the external threats to our SAP systems?

I recently watched a BBC documentary called “Horizon: Defeating the Hackers”. For anyone who didn’t see it I would thoroughly recommend it. Irrespective of your involvement or interest in the IT security industry it is an interesting programme.

The programme attempts to explain to the mainstream viewer some of the most complex IT security events of the past 5 years. This included Stuxnet, widely believed to be a US cyber attack on Iranian nuclear facilities. Understanding and explaining Stuxnet is something that I have attempted myself on several occasions so I take my hat off to the BBC for pulling it off so effectively!

If you haven’t already seen it here’s a clip -

Whilst an interesting story in itself, the importance of Stuxnet to me is that it represents a shift change in the threats that our customers’ SAP systems face from external sources and consequently the vulnerabilities that our clients need to manage. Stuxnet had a very clear purpose once it breached the IT security perimeter. It’s objective was to cause maximum disruption to the IT systems that would hurt it’s target organisation most. In the case of Stuxnet this was the systems controlling centrifuges within an Iranian nuclear facility. However, with many large corporations placing an increasing reliance on their IT systems SAP could be the more likely target for a lot of big corporate brands.

The other significance of Stuxnet is that it was a state sponsored attack. Last month the Ministry of Defence announced that it was to create a new ‘Cyber Defence Force’ - In a written statement in December last year, Cabinet Office Minister Francis Maude said 93% of large corporations and 76% of small businesses had reported a cyber breach in 2012. We are not talking about spotty teenagers looking to get a kick out of their next cyber conquest. These are highly organised teams from both the government and private sector looking to gain competitive advantage at an industry and national level.

Having allocated significant time and resources to segregation of duties and other internal controls for some years now we are seeing a new trend in our more risk aware customers. Those organisations who are more susceptible or aware of their vulnerability to cyber attacks are increasingly asking us to refocus our efforts towards the external threats to their SAP systems. Perhaps this is something that all SAP users should be taking more seriously?