If you work for a company that uses an enterprise resource planning (ERP) system, then odds are you’re familiar with SAP.
SAP is the ERP of choice for a majority of businesses worldwide. And for good reason: it deftly handles everything from supply chain management to human resources to finance and beyond. If you need to see a purchase order that’s attached to an invoice, it’s right there. Tackling month-end? SAP’s where you get your reports. Looking for a new hire? You scan the resumes that were uploaded to your E-Recruiting SAP module.
However, SAP is also uniquely vulnerable. And between its mission-critical role and its vulnerability, SAP is a prime target for cyberattackers.
What’s the risk?
ERP cybersecurity breaches can completely devastate a company. The loss of sensitive data, fraud, lawsuits, recovery expenses, and the PR nightmare that accompanies it all can easily climb into the millions of dollars to repair. According to the 2017 ERP Cybersecurity Survey, the average cost of a security breach in SAP is estimated at $5 million, with a third of the respondents estimating damage at more than $10 million.
And that’s if they even recover at all.
In 2013, USIS — a federal contractor providing background checks for Department of Homeland Security — had their SAP system infiltrated by cyberattackers. The security of over 25,000 government workers was compromised, and USIS lost over $2.8 billion in contracts. They never recovered, and filed for bankruptcy in 2015.
This definitely isn’t something you want to have happen to your company.
To understand how this happened, we need to look at how SAP is vulnerable.
Pinpointing the vulnerabilities
Like a lot of large and complicated software platforms, SAP has its fair share of vulnerabilities. And like other software companies, they identify these vulnerabilities and then send out security patches, which can then be installed.
Sounds simple enough. But it’s that last part where problems are happening.
In February of 2016, the Ponemon Institute released a study, Uncovering the Risks of SAP Cyber Breaches. In July of 2017, we conducted our own study, Cyberattacks and CVs: Can SAP E-Recruiting Expose Your Company to Risk?
The Ponemon study highlighted a major vulnerability that surprisingly, has little to do with SAP itself. As it turns out, many companies simply are not clear about who should be responsible for SAP cybersecurity.
You’ve got SAP teams that are responsible for their duties. And you’ve got IT teams that are responsible for their duties. But because SAP cybersecurity is a mix of the two, each team thinks the other team has it handled. In fact, twenty-five percent of the Ponemon study respondents say no one function is most accountable for SAP cybersecurity.
In addition to not knowing who should be guarding the vault, the door itself has some pretty faulty hinges. Slipping malware and other malicious code into SAP is surprisingly easy. In our own study, we were able to upload a test malware into 52 percent of the tested systems.
A blind spot for antivirus
None of these issues would be as dire if companies could protect SAP using their anti-virus programs.
Unfortunately, that’s impossible.
Because SAP files are processed and stored differently and discretely from regular files, they never actually get scanned by anti-virus. In fact, standard anti-virus programs can’t even SEE SAP files. So that resume that just got uploaded? It could be full of malware, and your company’s antivirus wouldn’t even know.
What your company can do
The biggest thing that companies can do is to stay on top of all SAP cybersecurity news. Months or more can pass between when a vulnerability is identified and the patch is released. Installing the patch right away helps to narrow the window of vulnerability.
To do that though, it’s vital for your company to clearly define who is in charge of what when it comes to SAP cybersecurity. Considering what’s at stake, it is exceedingly dangerous to assume anything about who is responsible for keeping this system safe. Clarifying processes and roles and making certain that there is an identifiable tier of ownership for your company’s SAP cybersecurity can play a large part in preventing it from slipping through the cracks. And by asking those questions, you can help get that process started.
Protecting SAP from cyberattacks is a task that needs to be taken seriously by everybody in the organization, and requires clear and forward-thinking leadership. When businesses open their eyes to the risks and their minds to the possible solutions, they stand a much better chance of weathering any attempted security breaches.