SAP customers more alert to internal than external threats

SAP customers are more concerned by insider threats than by external attacks, according to a joint report from Turnkey Consulting and Onapsis Research, who decry this as complacent.

Some 40.8% of more than 100 SAP customers surveyed recently, from the UK, the US, Europe and Asia, thought internal fraud was the biggest threat to their SAP applications estates, while only 14.3% believed an external attack was the biggest threat.

Turnkey Consulting, which specialises in the security and governance of SAP environments, and Onapsis, a firm of enterprise software security researchers that also provides a security platform and services, conducted the research during May 2021. All respondents were managerial level and above within a cyber security-related function, with more than 15 different industries represented.

The firms’ SAP security survey report 2021 also found that 26.5% said a data loss or breach was their greatest threat, and 12.2% opted for systems downtime.

Tom Venables, practice director of application and cyber security at Turnkey Consulting, said: “A key trend, and continuous theme over the years, is the disconnect between the widely acknowledged challenges of SAP security and the broader understanding and management of IT risk in general, where tools and processes have evolved to respond to growing threats in a more comprehensive way. Closing this gap is critical if organisations are to protect themselves against the growing exposure to external threats.” 

The report concluded by lamenting the complacency it identified among SAP customers. “Recent Onapsis research has found that SAP-specific threat actors are active, capable and widespread, and that critical SAP vulnerabilities are being weaponised in as little as 72 hours of a patch being released,” it said. “The impact of this stretches far beyond the theft of valuable information or the disruption to business and reaches into compliance implications such as GDPR and SOX.”

In his commentary inside the report, Venables said: “External attack is a significant threat to SAP systems – and increasingly so – but only one respondent in seven feels that it is the biggest threat to their systems. More and more malicious actors have realised that SAP often contains highly valuable data and intellectual property – the kind of information that, if lost or inaccessible, would cause major business disruption.”

The connection of SAP systems to software-as-as-a service applications such as SAP’s own SuccessFactors and Salesforce is another point of vulnerability, according to the report. Venables added: “As more organisations move towards a cloud-first future, there has been strong take-up of connectivity between SAP systems and software-as-a-service applications. However, there are issues around where security responsibility lies when this connection is made, with many cloud providers affirming that it is the customer’s responsibility to maintain a strong security posture when using these applications within the cloud.”

In the statement accompanying the report, Turnkey and Onapsis said the average SAP customer will have about 2,500 vulnerabilities within their customised SAP code, and yet 36.7% of survey respondents did not review this code for security and quality issues.

Almost half of the respondents are not applying configuration standards for audit logging and password settings, and Venables registered concern about this in the full report, saying: “As with other issues in this survey, the amount of time and resources required to apply these standards is considerable: config drift needs checking, and high volumes of log data needs processing. This is therefore an area where automation can assist, along with tools for alerting, monitoring, and change management functions that can keep track of any changes being made.”

A similar number of respondents do carry out reviews, but do so manually, an approach that is slow and error prone, said the report’s authors. Some 32.7% do not review code developed by third parties before it is imported into their SAP system, while 20.4% are not sure whether they do. 

The report also noted that only 27% of respondents were not considering a move to S/4 Hana – the supplier’s flagship ERP system. This suggests that a big majority of respondents to the survey are demonstrating a disturbing “lack of realisation that external attacks are of serious concern”, in the context of a big shift from ECC6, said the report’s authors.

The research explored the notion that SAP systems are protected because they are within the internal network, and how this belief influences attitudes to external risks.  

Some 18.4% of respondents agreed with the statement: “SAP is within our network, and so is secured against cyber threats.”

Venables added: “The often misguided perception that SAP is secured against cyber attacks because it sits within an organisation’s internal network is gradually being shattered. A slight majority of respondents disagreed with the view, and less than one in five still felt that it was fully secured by being inside the network. It may well be, however, that those who feel it is fully secured in this situation have the right tools and monitoring in place to cover SAP, or that the level of their internet-facing activity is relatively limited.”

Only 28.6% confirmed they had an SAP vulnerability management programme in place. The same number were sure their security operations centres (SOCs) had visibility into SAP security events, but 36.7% admitted they were not always up to date and updated with the latest patches.

The report’s authors said all of this shows a disconnect between SAP security and wider IT security environments.

André Ros, director of EMEA alliances and channels at Onapsis, added: “Organisations are making progress in how they protect their SAP systems, but as recent events in the news demonstrate, it’s still not enough. Traditional defence-in-depth strategies often fall short at protecting the business-critical SAP application layer.

“Onapsis Research has demonstrated that threat actors can exploit unprotected, unpatched business-critical systems in less than 72 hours after the release of an SAP security note. Better protecting this SAP application layer from vulnerabilities with the right technology, timely threat intelligence, impactful services, and improved internal processes will prove to be paramount to success.”