The global and independent platform for the SAP community.
IT Security Column, Mag 22-09

Why security experts are not SAP experts

SAP is part of the indispensable basic IT equipment for many companies because it is absolutely essential for smooth business operations and trouble-free production. But why don't companies protect their SAP systems properly?
Andreas Nolte, Arvato Systems GmbH
12 October 2022
Content:
it security header
avatar
This text has been automatically translated from German to English.

Since the answers to this question are often the same, there seem to be fundamental misconceptions about SAP security. When it comes to security, you quickly end up with people. After all, it is hackers who carry out cyberattacks. And therein lies the crux of the matter. Only proven security experts have a chance of standing up to professional hackers. While cybercriminals are highly specialized, enterprise professionals must master all techniques and have strong analytical skills. This cannot be expected of even the most experienced SAP professional. The cybercrime industry is too complex and dynamic for him to learn quickly. That's why it's imperative to bring SAP together with security specialists and get a complete overview of the threat landscape. Because attackers are not interested in internal organizational silos.

SAP in the cloud

Migrating SAP systems to the cloud is a task with a promising future. Cloud adaptation is a highly complex undertaking that is subject to constant change. That's why employees need to be highly skilled. But some companies are convinced that their IT staff can manage the existing IT and are experts in cloud security at the same time. In practice, however, in-house security experts often lack the necessary SAP expertise - just as SAP specialists often have only rudimentary security knowledge. So these companies do not train their IT experts adequately.

But a lack of expertise in securing a cloud-based SAP landscape creates dangerous vulnerabilities. Hackers do not even have to go to the trouble of gaining access to data and systems - well disguised in a Trojan horse. They walk with their visors open over the lowered drawbridge, through the gate that is wide open and nest in the castle. It takes an average of around 100 days for this to be noticed. Three months in which cybercriminals can cause a great deal of damage. It's not always attention-grabbing ransomware or DDoS attacks. Some hackers are very subtle in their approach, for example by tapping into supposedly insignificant information. That's why companies must always think about security when it comes to cloud transformation.

Once again, the question arises: Why aren't companies doing this? It seems that there is no goal-oriented dialog between IT and management. Sometimes management has no tangible idea of how important SAP security is for smooth business operations. And security experts sometimes fail to communicate the benefits of adequate protection measures and their positive impact on day-to-day operations. For a genuine dialog, companies are well advised to leave technology out of the equation for the time being. The point is to be aware of the opportunities offered by the cloud and the complexity of SAP security: to secure the SAP infrastructure against hacker attacks, it is imperative to understand that SAP security is a business process like any other. A process that needs to be carefully modeled, controlled with metrics, monitored with tools, and continuously optimized.

In order to change the way SAP security is viewed, companies must do away with common preconceptions. The fundamental misconception is that security is an IT issue. But cloud and SAP security must be firmly anchored in the corporate strategy and only implemented in practice as a second step. This is a challenge that goes far beyond the IT department. It affects many specialist departments. For effective SAP security, everyone, really everyone, must pull together.

https://e3mag.com/partners/arvato-systems-gmbh/

avatar
Andreas Nolte, Arvato Systems GmbH

Andreas Nolte is Head of Cyber Security at Arvato Systems GmbH


All articles of the author

Write a comment

The Hackett Group has recognized Esker in the area of C2C Receivables

Rackspace Technology launches UK Sovereign Services

August-Wilhelm Scheer Institute and BAD Gesundheitsvorsorge und Sicherheitstechnik: The future of healthcare

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.