A recent independent study conducted by the Ponemon Institute, “Uncovering the Risk of SAP Cyber Breaches,” revealed some startling information about the threat of a SAP cyber breach and how companies are managing the risk of information theft, modification of the data and disruption of business processes.

To understand what makes SAP systems the perfect target for a cybercriminal, you don’t have to look far. Ask yourself: Which system runs the most business-critical processes in my company? Which system stores the most business-sensitive information? Which system is the company most dependent upon?

The answer unanimously comes back to the enterprise resource planning (ERP) system your company runs. In today’s world, a majority of the Fortune 500 companies rely on SAP as their ERP system. This single ERP system has become a critical and crucial lifeline to companies across all industries, ranging from health care, utilities and oil and gas to telecom, insurance and financial services.

Takeaways From the SAP Study

Recent high-profile cybersecurity breaches still have not served as a wake-up call in many corporate boardrooms. Some excerpts from the Ponemon Institute’s independent study highlight some interesting perceptions about SAP cybersecurity risk.

First, nearly 76 percent of respondents said their senior leadership understands the importance and criticality of SAP installations to profitability. However, 63 percent of respondents also said C-level executives underestimate the risks associated with insecure SAP applications.

If SAP systems are taken offline, the expected average financial consequence for companies is $4.5 million. These costs were estimated to include direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs and lost business opportunity.

The majority of the respondents believe it is difficult to secure SAP systems. One possible reason is a lack of clear ownership over these systems. When asked which function was most accountable for security, 25 percent claimed that no one group was responsible. Meanwhile, 21 percent said IT infrastructure was responsible, 19 percent said a dedicated SAP security team and 18 percent said information security. Risk executives, audit professionals and boards of directors all collected less than 10 percent of the vote.

Source: Ponemon Institute, “Uncovering the Risk of SAP Cyber Breaches”

When asked what was most important for achieving security, 83 percent of respondents indicated that detecting zero-day vulnerabilities is vital for their organizations.

Despite this thirst for security knowledge, most organizations don’t believe they have the power to detect an incident. About 47 percent of respondents were “not confident” or claimed “no confidence” that they could detect a breach within a year if their company’s SAP platform was compromised.

Additionally, 65 percent of respondents said it is very likely (33 percent) or likely (42 percent) that their company’s SAP platforms have one or more malware infections.

Source: Ponemon Institute, “Uncovering the Risk of SAP Cyber Breaches”

Three SAP Security Myths and Realities

Because the threat to business-critical information is increasing, it is essential for companies to separate myths from reality. These myths typically fall into three different categories:

  • Myth One: SAP systems are only accessible internally within the organization’s network.Reality: There is no such thing as an internal network anymore. Many SAP systems are connected to the Internet via Web apps, HANA, mobile solutions or cloud deployments. Try to Google “inurl:/irj/portal” and see how many hits are returned, or check for SAP using the SHODAN search engine.
  • Myth Two: Only SAP production systems should be audited.Reality: Pivoting using existing SAP vulnerabilities between SAP systems provides access from a low security (e.g., a development or QA system) to a critical system (e.g., a production system) to execute SAP remote function modules in the destination system.
  • Myth Three: Patch and change management process provide adequate security controls.Reality: It takes an average of 18 months from when a vulnerability is identified to when the patch is finally deployed.

Key Considerations for SAP Security

A cybersecurity program should be incorporated into the existing enterprise risk management (ERM) process of the company. This will help establish your overall SAP security governance program.

Many companies invest heavily in SAP security audits that barely scratch the surface, such as segregation of duties (SOD) checks, basic firefighter log reviews, security log reviews, system parameter reviews, table logging checks and the auditor-favorite SUIM command. Companies should consider investing in more comprehensive and in-depth examinations of their SAP platforms and solutions on a regular basis, including vulnerability assessments and penetration testing.

Periodic SAP vulnerability assessments should be conducted to identify known vulnerabilities, malware infections, missing patches and notes, insecure configurations, unencrypted interfaces, weak credentials and default settings. This is in addition to the regular SOD checks, custom T-code checks, program analysis and logging regular user activity.

Involve the business in security workshops and ask the relevant questions. Who is responsible for preventing a cybersecurity breach? Have we had a SAP security breach? How can our company be sure?

Look to invest in an active threat monitoring and detection solution — meaning a SAP-specific threat vector detection. This will help drive visibility into the cyber world and demonstrate a high level of confidence with your internal and external auditors.


Protecting SAP from cyberthreats begins with a shift in beliefs about accessibility, vulnerability and responsibility. A cybersecurity program is only effective when it begins with the appreciation that everything is now connected and therefore accessible. SAP systems and applications, whether in development or production, are as much at stake as any other system.

Extending the same (or better) assessments, auditing procedures and tests that you would for any other enterprise platform or application is no different when you consider your valuable investments in and reliance on ERP systems such as SAP.

Download the Trends in SAP Cybersecurity white paper

More from Software Vulnerabilities

Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1

Command & Control (C2) frameworks are a very sensitive component of Red Team operations. Often, a Red Team will be in a highly privileged position on a target’s network, and a compromise of the C2 framework could lead to a compromise of both the red team operator’s system and control over beacons established on a target’s systems. As such, vulnerabilities in C2 frameworks are high priority targets for threat actors and Counterintelligence (CI) operations. On September 20, 2022, HelpSystems published…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory. SCM systems are used in the majority of organizations to manage source code and integrate with other systems within the…

X-Force Research Update: Top 10 Cybersecurity Vulnerabilities of 2021

From 2020 to 2021, there was a 33% increase in the number of reported incidents caused by vulnerability exploitation, according to the 2022 X-Force Threat Intelligence Index. A large percentage of these exploited vulnerabilities were newly discovered; in fact, four out of the top five vulnerabilities in 2021 were newer vulnerabilities. Vulnerability exploitation was the second most common initial infection vector observed by IBM Security X-Force in 2021, falling closely behind phishing. Cybercriminals are finding new ways of bypassing security…

How Log4j Vulnerability Could Impact You

MITIGATION UPDATE: New vulnerability in 2.17 — CVE-2021-44832 Upgrade to 2.17.1 to mitigate this vulnerability Do NOT enable JNDI in any versions Follow: https://logging.apache.org/log4j/2.x/security.html If you hadn’t heard of Apache Log4j, chances are it’s on your radar now. In fact, you may have been using it for years. Log4j is a logging library. Imagine writing your daily activities into a notebook. That notebook is Log4j. Developers and programmers use it to take notes about what’s happening on applications and servers.…