Key Takeaways from Ponemon Institute’s New Study: Uncovering the Risks of SAP Cyber Breaches

Today, the Ponemon Institute has released its latest research study titled Uncovering the Risks of SAP Cyber Breaches. As the first independent research study on SAP cybersecurity trends, more than 600 global IT security practitioners were surveyed to uncover perceptions about the threat of an SAP cyber breach and how companies are managing the risk of information theft, modification of data and disruption of business processes.

Some very interesting results were found. While several leading organizations have already started to understand the impact facing the value of the data that could be lost from their SAP system due to a data breach or cyberattack, one of the most shocking findings revealed in this study is that still most organizations have very little confidence that they would be able to detect an SAP breach within a reasonable timeframe. In fact, 53% of respondents stated that it would take their organization up to a year to be able to detect an SAP platform breach.

On top of this, the Ponemon Institute found that 65% of all companies represented in the survey have suffered at least one SAP breach over the last 24 months.

As an industry, it’s clear we have a lot of work to do when it comes to fully understanding and managing the cybersecurity risks related with business-critical applications running on top of our SAP platforms.

Let’s take a look at some more of the key findings:

  • Senior leadership’s perception about SAP security risks: Senior leadership values the importance of SAP to the bottom line, but ignores its cybersecurity risks. There seems to be a lack of understanding as to the impact of the value of data that could be lost from SAP systems. Business-critical applications running on SAP are among the most valuable assets an organization has – I can’t stress this enough. These systems are responsible for housing critical business processes and data in which the organization depends upon including tangible assets, customer data, financial records and personal records. These systems should be in the top tier of assets when it comes to protection priorities.
  • The estimated average cost of a sabotage attack over an SAP system: When surveyed about the financial consequences of systems being taken offline, respondents said that on average, it would cost their organization $4.5 million. This includes all direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs, and lost business opportunities.
  • The “responsibility gap” in securing SAP systems: There is a very unclear understanding amongst respondents when it comes to the ownership of SAP security, and the inherent security of SAP applications themselves. In addition, a majority of respondents stated said that no one function within their organization is most accountable for SAP security. In fact, only 19% of those surveyed believe that it is the responsibility of their SAP security team to secure SAP systems, applications and processes. In order to properly secure SAP systems and applications, it is necessary to implement an operationalized cybersecurity strategy that leverages a cross functional, well aligned team. Steve Higgins, SVP of Customer Success, has outlined steps that organizations can begin taking to operationalize their SAP cybersecurity strategy in his latest blog.

Based on these findings there is no doubt that if you are the CISO of a Global 2000 organization, SAP cybersecurity should be one of your TOP-5 initiatives for 2016. Clear delineation of responsibility and integration between teams, establishing processes and operationalizing the prevention and detection of SAP vulnerabilities is a necessity for avoiding significant economic impact. The biggest questions I often receive from CISOs are “Where do I start? How do I include SAP in our cybersecurity strategy?” To these questions, I recommend the following steps:

  • I. Map Your SAP Landscape and Terrain: Through asset discovery, find out if you have 1 or 100 SAP systems and their interfaces. Then work to understand the business processes that each system supports and the information that each system houses.
  • II. Understand the Risks and Impact:
    • Economic – Understand the value chain that SAP systems and applications support. Also calculate the dollars that the SAP platform manages at your organization.
    • Compliance – Map Policies with an SAP security lens (i.e. SAP Security Guidelines) as well as authoritative sources (SOX, PCI) and perform assessments to identify critical compliance gaps.
    • Context – Prioritize risk by severity against assets (TOP-10, don’t boil the ocean), likelihood and timing of the risks and the potential business impact.
  • III. Integrate SAP to your cybersecurity strategy and roadmap. Continuously monitor systems to ensure both security and compliance issues remain low. Incorporate SAP into your risk, compliance and vulnerability management program. Respond to new threats, attacks, or user behavioral anomalies as indicators of compromise, incorporating SAP into your Incident Response program.

As always, if you have specific questions or concerns about your organizations SAP cybersecurity strategy, please do not hesitate to contact us directly at [email protected]. The full Ponemon Institute study can be downloaded here:

Additional Resources:

Onapsis & Ponemon Institute Webcast: “Uncovering the Risks of SAP Cyber Breaches”: Onapsis Business Risk Illustration: Onapsis Security Platform: