How fortified is your SAP against security breaches?

Your SAP is your Fort Knox - storing mission-critical applications as valuable as gold to your business.

security breaches


Can you even tell if a breach has occurred? Have you inventoried its vulnerabilities - and taken steps to prevent, for example, a $22 million per minute loss due to a SAP breach as experienced by one Fortune 100 company? Or have you concluded that the scale of SAP ERP implementations makes it just too big to manage? Ask yourself these 10 questions - compiled by David Binny, vice president of product management at Panaya, and gleaned from its analysis of thousands of SAP landscapes - to find out if your SAP is safe.

SAP security breaches

SAP security: How high a priority?

Do you wait until disaster strikes and react, often too late to undo the damage? Or, is SAP security maintenance high up on your to-do list? For example, do you perform regular security and compliance audits of your ABAP code (skipped by 70% of respondents to a recent Onapsis survey)? Stay up-to-speed on current and emerging threats to your SAP ecosystem to better manage cybersecurity risks (deemed critical by 73% of respondents to a Ponemon Institute survey)? Feel confident that you’ll discover a SAP breach within a year or less?

SAP security breaches

SAP security: Who’s in charge?

Very often, the owner of SAP security projects is unclear. In a recent survey, half of the respondents thought it was SAP’s responsibility, not their organization’s. Thirty percent thought it was no one's. And only a small number thought it was the CIO’s or CISO’s job. When security ownership is up in the air, key players will be unable to act when a breach occurs, and yet face the consequences. So, don’t wait - quickly define the person or group within your enterprise who has overall responsibility for SAP security.

SAP security breaches

When was EHP last updated?

Make sure you stay up to date on the latest technology and security upgrades. Released periodically by SAP, Enhancement Packages (EHP) for SAP Business Suite essentially means that SAP has installed a new software version with functional enhancements, UI simplifications, and enterprise service bundles. Make sure your organization is running the latest enhancement packs, lest you be open to gaping and costly-to-fix vulnerabilities.

SAP security breaches

Have you installed SPS?

Yes, it’s time-consuming to install, but you simply can’t afford to ignore it. It is the Support Package Stacks (SPS) - support packages and patches (many ranked “high priority) that SAP recommends companies apply at least once a year. SAP has released over 3,300 security patches to date. And while SPS may take more than six months from release to deployment, the alternative (running systems without a clear update and patching process) could be worse. So, find an efficient and effective way to implement it.

SAP security breaches

Security or functionality?

The US Department of Homeland Security recently reported that 36 organizations were found vulnerable due to unpatched, misconfigured, and outdated SAP systems. While SAP fixed the issue, it found that many customers preferred keeping business-critical (and revenue-generating) SAP systems running (despite faulty patches) over applying security updates. By adopting tools and processes that simulate ERP change and making security part of day-to-day maintenance, you can fix critical issues without placing critical processes at risk.

SAP security breaches

Gotten rid of your custom code yet?

If you haven’t, eliminate it. Now. You see, with proprietary developments in SAP systems at an all-time high, and with statistics showing one critical vulnerability per 1,000 lines of ABAP code, every line of custom code can potentially spell risk. This means that an attacker can gain full access to all business data by exploiting just one of these vulnerabilities. Since much of custom code is unused, experts recommend eliminating it (or at least securing critical code) and reverting to the standard installation to dramatically reduce the risk of security vulnerability.

SAP security breaches

Are your SAP apps updated?

Continuous monitoring (i.e., keeping your eyes open) is key to a safe SAP. With enterprises experiencing two SAP-related breaches every 24 months, and 75 percent of IT professionals believing that their SAP platforms are infected with malware, it’s easy to conclude that attacks against SAP infrastructures will only increase. To avoid zero-day vulnerabilities in SAP apps, stay alert and ensure that your applications are patched and up to date. Adopt tools that show you where you stand, what needs updating, and how to make changes.

SAP security breaches

When was your last regular ERP checkup?

Organizations have limited visibility into the security of SAP applications, making it harder and longer to detect and respond to cyber attacks. In fact, it takes a whole year for many enterprises to detect a breach. That’s too long and too risky. For your ERP system to stay healthy and secure, frequent checkups are key. You gain better visibility and understanding of your ERP landscape before making changes, pinpoint where you may be lagging, and benchmark against industry standards when identifying security gaps.

SAP security breaches

Can you go digital and still mitigate risk?

There’s no fighting it. Change is the way of the world, and digital transformation is what makes it happen. How, then, to embrace new technologies and trends - cloud, mobile big data, IoT - while avoiding the security risks that they almost always entail? The key is to remain vigilant and move fast. Adopt quality assurance tools that work continuously with each change to ensure the security, functionality, and performance of your SAP landscape.

Copyright © 2017 IDG Communications, Inc.