Why SAP Systems Urgently Need More Cyber Security

Ransomware incidents alone have increased fivefold since 2021, and the increase in dark web chats about SAP vulnerabilities is similarly high. No wonder, with over 400,000 customers accounting for almost 90 percent of global trade volume, SAP landscapes are a profitable target for financially motivated exploits. This is where the "crown jewels" of corporate data are managed, including design plans and recipes, confidential financial results and pricing strategies, credit card data and personal HR data. SAP knows everything, and without SAP, usually nothing works. Regardless of whether the attackers are looking to steal know-how, manipulate finances, trade in stolen data or ransom money: Security leaks in SAP systems can hit companies to the core. 

Yet SAP remains a blind spot on the IT security map for many companies. Why do companies so often massively underestimate ERP security risks?

Cyber-attacks only affect the big players. No. According to the "Wirtschaftsschutz 2023" study (Economic Security) published by the digital association Bitkom, around three-quarters of all German companies were victims of cybercrime last year. Attackers are forming alliances, expanding their "services" and systematically targeting small and medium-sized businesses—all with a high degree of specialization and sophisticated methods. Criminal tactics are becoming increasingly professional, with the average incident taking six months to detect and resolve—plenty of time for attackers to steal data, manipulate systems, and cover their tracks.

Certificates and audits will do. No! Neither the auditor's certificate nor security audits can identify all vulnerabilities and anticipate future security gaps. New legislation, such as the forthcoming implementation of the NIS2 directive at the end of 2024, is helping to harmonize security levels across the EU at a high level. But even complying with all legal obligations should not lull companies into a false sense of security. ERP systems are complex and difficult to protect due to their integration into a networked IT landscape—the number of potential gateways increases with each interface. Moving ERP workloads to the cloud also redefines security standards. The fact is that cyberattacks cannot be completely avoided. It is important to keep an eye on cybercrime trends, translate threats into individual security concepts, and ensure a fast response time in the event of an emergency. 

According to the Data Breach Investigations Report, insiders are responsible for about one-fifth of all security incidents—not always with criminal intent, but often due to negligence and lack of risk awareness. With the democratization of AI, this flank will become even more vulnerable in the coming years. Today, AI translation tools can localize phishing emails at native speaker level in seconds, and AI-powered voice generators create deceptively realistic deepfakes for CEO scam calls from voice snippets. 

According to a survey of the SAP community, 45 percent of German companies do not consider their SAP systems adequately protected, and only 10 percent feel very well prepared to remain operational in the event of an attack. About a quarter do not even have IT security on their agenda. However, solid baseline protection requires the consistent use of technology resources that have long been available.

Timely patches and updates are a must. Reliable update management is essential for quickly closing security gaps in on-premises systems. SAP has invested in the usability of the system architecture to make it easier to deploy security patches for S/4 Hana.

Click here for the partner entry: