SAP Customers May Be Operating Under False Sense of Security, Find Turnkey and Onapsis

SAP Security Survey Report 2021 explores perception that SAP systems are protected against external risk.

August 2, 2021

5 Min Read


London; 29 July 2021; Many application owners are unaware of how vulnerable their SAP applications may be, significantly increasing the risks to their core enterprise systems. This is the overall conclusion of the SAP Security Survey Report 2021 undertaken by risk management consultancy Turnkey Consulting and Onapsis, a specialist in application cybersecurity and compliance solutions.

Only 14.3% of respondents believe an external attack is the greatest risk to their SAP environment, despite digital transformation, cloud-first approaches and mobile access increasing the levels of external threat faced by SAP systems. (40.8% believe internal fraud is the biggest threat, 26.5% say a data loss or breach, 12.2% opt for systems downtime and 6.1% are not sure.)

The average SAP customer will have around 2500 vulnerabilities within their custom code (programs created to tailor the SAP system for their specific needs), but 36.7% of respondents don’t review this code for security and quality issues. An equal number (36.7%) carry out reviews, but do so manually, an approach that is slow and error-prone. 32.7% do not review code developed by third parties before it is imported into their SAP system, while 20.4% are not sure whether they do.

The 36.7% of survey respondents that had experienced downtime in their SAP landscape as a result of coding issues highlights the vital importance of review activity.

The research covered a range of questions that looked at how prepared customers were to deal with outside threats; most specifically it explored the perception that SAP systems are protected because they are within the internal network, and how this belief influences attitudes to external risks.

Other key findings include:

  • 18.4% agree with the statement that ‘SAP is within our network, and so is secured against cyber threats’, while 26.5% are not sure. 51% do not believe this to be the case and 4% don’t know. (It should be noted that those that are confident about being fully secured have the right tools and monitoring in place, or low levels of internet-facing activity.)

  • Only 28.6% can confirm they have an SAP vulnerability management program in place.

  • Only 28.6% can say for certain that their Security Operations Centres (SOCs) has visibility into SAP security events – demonstrating the disconnect between SAP security and the wider IT security environment.

  • 51% say their SAP systems are always up-to-date and updated with the latest patches – but 36.7% report this is not the case and 12.3% aren’t sure.

  • Nearly a third (30.6%) feel their user’s maturity and capability to manage cyber risk to the SAP landscape leaves room for improvement, with the same number believing it was only average.

This risk posed by these findings is highlighted by recent Onapsis research that showed SAP-specific threat actors are actively targeting and exploiting unsecured SAP applications and have the expertise and capabilities to carry out sophisticated attacks.

Tom Venables, practice director of application and cyber security at Turnkey Consulting, says: “A key trend, and continuous theme over the years, is the disconnect between the widely-acknowledged challenges of SAP security, and the broader understanding and management of IT risk in general, where tools and processes have evolved to respond to growing threats in a more comprehensive way. Closing this gap is critical if organisations are to protect themselves against the growing exposure to external threats.”

André Ros, director of EMEA alliances and channels at Onapsis, says: “Organisations are making progress in how they protect their SAP systems, but, as recent events in the news demonstrate, it’s still not enough. Traditional defence-in-depth strategies often fall short at protecting the business-critical SAP application layer. Onapsis Research has demonstrated that threat actors can exploit unprotected, unpatched business-critical systems in less than 72 hours after the release of an SAP Security Note. Better protecting this SAP application layer from vulnerabilities with the right technology, timely threat intelligence, impactful services, and improved internal processes will prove to be paramount to success.”

The SAP Security Survey Report advises on addressing the gap in understanding with education, the adoption of a ‘secure by design’ approach and breaking down the silos that exist between the SAP estate and wider IT risk management.

A copy of the full report is available on request -


Note: The online survey was conducted during May 2021 with more than 100 SAP customers from the United Kingdom, Europe, Asia and the United States. All respondents were managerial level and above within a cyber security related function, with more that 15 different industries represented.

About Turnkey Consulting

Turnkey Consulting is a specialist GRC and IT security company that combines business consulting with technical implementation to deliver information security solutions in support of systems running both SAP and non-SAP solutions. It focuses on the delivery of specialised services in the areas of security, governance, risk and compliance (GRC), working service providers, audit partners and clients directly to provide the security controls and solutions that safeguard and complement the implementation of enterprise systems. Clients include some of the world's largest blue-chip companies alongside systems integrators and a number of government agencies.

The company was established in 2004 and has offices in the UK, Australia, France, Germany, Malaysia, Singapore and the US.

Follow Turnkey Consulting on Twitter at @TurnkeySAPGRC

About Onapsis

Onapsis secures the business-critical applications that run the global economy. The Onapsis Platform uniquely delivers actionable vulnerability insights, continuous threat monitoring, application security testing, and automated compliance for critical systems from leading vendors such as SAP, Oracle, Salesforce and others. Onapsis Research Labs, the team who powers the Onapsis Platform, is responsible for the discovery and mitigation of more than 800 zero-day vulnerabilities in business-critical applications.

This combination of our Onapsis Platform and Onapsis Research Labs is the reason why we proudly serve more than 300 of the world’s leading brands like Accenture, Deloitte, IBM, PwC, and Verizon—as well as 20% of the Fortune 100. We also secure 6 of the top 10 automotive companies, 5 of the top 10 chemical companies, 4 of the top 10 technology companies and 3 of the top 10 oil and gas companies.

Onapsis is headquartered in Boston, MA, with offices in Heidelberg, Germany, and Buenos Aires, Argentina.

For more information, connect with us on Twitter or LinkedIn, or visit us at

For more information, please contact:

Kate Alexander

PR Consultant

Email: [email protected]

Tel: +44 (0)7788 584413

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights