SAP enterprise applications play a mission-critical role at countless organizations around the world, yet relatively little is discussed about the potential consequences of successful cyberattacks on these apps.
Unlike the continuous spotlight on Windows vulnerabilities -- and increasingly on Android malware -- flaws in enterprise platforms like SAP have remained largely under the radar despite the potentially bigger consequences of an attack.
New research conducted by the Ponemon Institute on behalf of Onapsis Inc., shows that a majority of IT and IT security professionals are aware of the risks of a SAP cyber breach but that senior executives are underestimating it greatly. Of the 607 technology professionals that Ponemon surveyed, 60% feared that the impact of an attack on their SAP applications would be catastrophic. But only 21% of senior leadership were aware of the risk or shared that concern.
“Worryingly, while survey data indicates SAP breaches are expected to increase, there is no single group or job function most accountable,” Larry Ponemon, chairman and founder of the Ponemon Institute said in a statement. “It appears that SAP cybersecurity is falling through the cracks between the SAP security teams and InfoSec teams, who need to step up to bridge the gap and make it a priority.”
Here are five key takeaways from the Ponemon report:
SAP applications can be buggy.
Seventy percent of IT and IT security professionals think it is either very likely or likely that their SAP platforms have at least one and possibly more malware infections. Survey respondents ranked SAP’s content and collaboration applications as the most vulnerable to attack followed by its data management, CRM, and ERP technologies. Enterprises on average experienced two SAP-related breaches every 24 months.
According to a paper presented by Onapsis at the RSA Conference in 2015, SAP released a total of 391 security patches in 2014, nearly 46% of which it considered as “high priority.” Onapsis claimed that 95% of the SAP applications that it has reviewed are exposed to vulnerabilities that could lead to a total compromise of a company’s data and business processes.
Breaches of SAP applications are unlikely to be detected quickly.
Only 25% of the survey respondents said they were "confident" or "very confident" of being able to discover a SAP application breach immediately. In a majority of the remaining cases, respondents suggested their organizations would take a significantly longer time to discover a SAP data breach. For example, 41% of respondents expressed confidence about being able to detect a SAP breach in one month, while 53% said they felt most confident about finding a breach within one year.
Enterprises don’t apply SAP application patches quickly.
Many organizations are really reluctant to deploy SAP security patches because of fears of service disruption, says Mariano Nunez, CEO of Onapsis. Though SAP has been responding faster to security problems in its products, the same is not true of the enterprises running the company’s apps, he says.
“We have in fact seen some organizations that have never applied SAP security patches at all, and only increase the security of the platforms when they do functional upgrades, which is usually once or twice a year,” he says.
Part of the reason is that SAP is used in such business-critical processes that enterprises often are more concerned about a faulty patch breaking critical applications and resulting in direct revenue loss.
No one really owns SAP security.
“Our research shows that many organizations don’t have one person, function, or department with overall responsibility for SAP security,” Ponemon says.“This may be due, at least in part, to shadow IT pressure and migration to the cloud.”
When respondents in the survey were asked who within their organizations would be responsible if a SAP system breach occurred, 30% said no one would be responsible. About 26% said it would be the CIO, while 18% pointed to the CISO. Based on the survey results “the CIO organization and lines of business appear to be the most likely “owners” of SAP security today,” Ponemon says.
Somewhat surprisingly, 54% said it was SAP’s responsibility -- not their organization's -- to ensure the security of the application and platform.
Attacks against SAP platforms will increase.
This is somewhat of a given considering the rapidly evolving threat landscape, But 47% of the respondents expected the frequency of attacks against their SAP infrastructure to increase over the next two years, while 54% expected such attacks to become more sophisticated and stealthy.
Adding to the concerns is the proliferation of IoT, Big Data, cloud, and mobile applications -- all of which will increase the SAP attack surface, according to the survey respondents.