London, 29 July 2021: Many application owners are unaware of how vulnerable their SAP applications may be, significantly increasing the risks to their core enterprise systems. This is the overall conclusion of the SAP Security Survey Report 2021 undertaken by risk management consultancy Turnkey Consulting and Onapsis, a specialist in application cybersecurity and compliance solutions.
Only 14.3% of respondents believe an external attack is the greatest risk to their SAP environment, despite digital transformation, cloud-first approaches and mobile access increasing the levels of external threat faced by SAP systems. (40.8% believe internal fraud is the biggest threat, 26.5% say a data loss or breach, 12.2% opt for systems downtime and 6.1% are not sure.)
The average SAP customer will have around 2500 vulnerabilities within their custom code (programs created to tailor the SAP system for their specific needs), but 36.7% of respondents don’t review this code for security and quality issues. An equal number (36.7%) carry out reviews, but do so manually, an approach that is slow and error-prone. 32.7% do not review code developed by third parties before it is imported into their SAP system, while 20.4% are not sure whether they do.
The 36.7% of survey respondents that had experienced downtime in their SAP landscape as a result of coding issues highlights the vital importance of review activity.
The research covered a range of questions that looked at how prepared customers were to deal with outside threats; most specifically it explored the perception that SAP systems are protected because they are within the internal network, and how this belief influences attitudes to external risks.
Other key findings include
This risk posed by these findings is highlighted by recent Onapsis research that showed SAP-specific threat actors are actively targeting and exploiting unsecured SAP applications and have the expertise and capabilities to carry out sophisticated attacks.
Tom Venables, practice director of application and cyber security at Turnkey Consulting, says: “A key trend, and continuous theme over the years, is the disconnect between the widely-acknowledged challenges of SAP security, and the broader understanding and management of IT risk in general, where tools and processes have evolved to respond to growing threats in a more comprehensive way. Closing this gap is critical if organisations are to protect themselves against the growing exposure to external threats.”
André Ros, director of EMEA alliances and channels at Onapsis, says: “Organisations are making progress in how they protect their SAP systems, but, as recent events in the news demonstrate, it’s still not enough. Traditional defence-in-depth strategies often fall short at protecting the business-critical SAP application layer. Onapsis Research has demonstrated that threat actors can exploit unprotected, unpatched business-critical systems in less than 72 hours after the release of an SAP Security Note. Better protecting this SAP application layer from vulnerabilities with the right technology, timely threat intelligence, impactful services, and improved internal processes will prove to be paramount to success.”
The SAP Security Survey Report advises on addressing the gap in understanding with education, the adoption of a ‘secure by design’ approach and breaking down the silos that exist between the SAP estate and wider IT risk management.
A copy of the full report is available to download here. (Access requires registration.)
-ends-
Note: The online survey was conducted during May 2021 with more than 100 SAP customers from the United Kingdom, Europe, Asia and the United States. All respondents were managerial level and above within a cyber security related function, with more that 15 different industries represented.