New Report Reveals Top Cybersecurity Threats and Challenges to SAP Systems in 2025

A Follow-Up to Our June Teaser: The Full Report is Here

Back in June, we gave you a sneak peek at new research on the evolving SAP cybersecurity landscape. Now, with the full report and on-demand webinar available, we’re providing a detailed breakdown and expanding on the initial findings.

With over 92% of organizations identifying the data in their SAP systems as mission-critical or highly important, the need for robust SAP security has never been more essential. To provide a comprehensive look at this landscape, SAPinsider, in collaboration with Onapsis, has released its latest research report, “Cybersecurity Threats and Challenges to SAP Systems“.

This report, based on a survey of the SAP community, offers invaluable insights into the top threats, persistent challenges, and strategic investment priorities for the year ahead. Here’s a look at some of the key findings.

The Top Threats, Challenges, and Investment Priorities for 2025

The SAPinsider report goes beyond just a list of risks, offering a clear view into the top cybersecurity threats organizations are facing, the challenges preventing them from addressing those threats, and the strategic investments they are prioritizing to build a more resilient security posture.

The Shifting SAP Threat Landscape

According to the SAPinsider research, the number of cyber threats impacting SAP systems continued to increase over the past year. In fact, a significant 23% of respondents reported that they had experienced a cybersecurity attack that impacted their SAP environment in the past year.

In a significant shift from previous years, respondents now rank data exfiltration as the biggest threat to SAP systems in 2025. This heightened concern aligns with trends toward data centralization and cloud-based solutions, which make SAP systems even more desirable targets for threat actors.

While data exfiltration has risen to the top, other threats remain a major concern. The report notes that unpatched systems and credentials compromise continue to rank among the top four potential threats, as they have in previous years. 

Additionally, there is a notable increase in concern about connections to other systems and applications, which jumped from a tenth-place ranking last year to the third biggest threat this year. This is likely due to the rise of cloud and hybrid-cloud landscapes, expanding the overall attack surface and highlighting the complexity of securing modern SAP cloud security environments.

The Biggest Challenges Facing SAP Security Teams

For the third consecutive year, the biggest challenge organizations face is keeping up with the cycle of SAP security patches and updates, with 35% of respondents citing it as a top challenge in 2025. This persistent issue is not just a technical hurdle; it’s a business one. The report found that the two biggest factors driving these patching backlogs are the difficulty in scheduling downtime (64%) and the challenge of validating whether patches are correctly and properly applied (57%).

Beyond patching, security teams are equally challenged by a lack of visibility of SAP systems within InfoSec or Security Operations (28%) and the difficulty of ensuring segregation of duties (28%). These challenges highlight the need for strong executive support and a cohesive strategy that extends beyond standard compliance.

Interestingly, these challenges shift depending on an organization’s SAP security posture. The report shows that organizations with the least cybersecurity maturity are most challenged by patching (50%) and ensuring segregation of duties (43%). In contrast, more mature organizations, which have likely addressed these foundational issues, are more concerned with challenges stemming from user activities, like malware downloaded through end-user systems (42%) and password misuse, sharing, or compromise (33%)

Prioritizing Your SAP Cybersecurity Investments

So, where are leading organizations focusing their resources to combat these threats? The report identifies several key areas where organizations are planning to make new SAP-specific cybersecurity investments. The top priorities include:

  • SAP native security and compliance tools (e.g., SAP Identity Management, SAP Single Sign-On, and SAP GRC): 54%
  • Audit and monitoring tools for SAP systems: 51%
  • SAP security patch and vulnerability management: 51%
  • Data protection and privacy controls: 49%

The report also reveals that these investment priorities shift based on an organization’s cybersecurity maturity. For instance, the most mature organizations show a greater focus on cloud and hybrid security (67%). In contrast, organizations with the least maturity are more focused on foundational areas like audit and monitoring tools (43%) and closing the SAP security skills gap with managed services (36%).

This data underscores that a successful strategy must evolve as an organization’s security posture matures, moving from foundational controls to addressing more complex, user-driven, and environmental risks.

The Dangers of Unpatched SAP Systems

Ranking as the #2 cybersecurity threat to SAP systems, unpatched vulnerabilities represent a clear and present danger to the enterprise. The risk is not just theoretical; it’s about providing a direct pathway for threat actors to access the 92% of SAP systems that organizations consider to contain mission-critical or highly important data.

The primary danger lies in the speed at which these vulnerabilities can be weaponized. The report warns that organizations unable to remediate threats may find their systems vulnerable to attack within hours of a new patch being announced. This narrow window gives a significant advantage to attackers and can turn a known, patchable issue into a major security incident. An exploit of an unpatched system can directly enable data exfiltration (the #1 threat) or lead to costly operational downtime, causing significant financial and reputational damage. This makes a strong SAP threat detection and response capability essential.

How Onapsis Helps Address Key Report Findings

The SAPinsider report paints a clear picture of the threats and operational hurdles that organizations face in securing their mission-critical SAP systems. The Onapsis Platform is uniquely designed to address these specific, data-backed challenges head-on, empowering security and SAP teams to build a more resilient and proactive defense.

Combating the Top Threats: Data Exfiltration and Compromise

With data exfiltration and credential compromise ranking as top threats, preventing unauthorized access is paramount. Onapsis helps organizations shift from a reactive to a proactive stance.

The platform’s continuous threat monitoring and detection capabilities, part of Onapsis Defend, provide real-time visibility into suspicious activities that are often precursors to a major breach. By identifying and alerting on anomalous behavior, such as an unauthorized user attempting to escalate privileges or access sensitive data, Onapsis helps security teams neutralize threats before they can lead to a damaging data exfiltration event.

Streamlining Vulnerability and Patch Management

The report confirms that patching is the #1 challenge for SAP teams, not because of a lack of awareness, but due to operational friction. Onapsis directly targets these pain points.

  • Prioritizing What Matters Most: Instead of presenting a long list of vulnerabilities, Onapsis Assess provides context-aware insights, helping teams prioritize the patches that pose the greatest risk to their specific environment. This is critical for organizations struggling with limited downtime.
  • Validating Remediation: Onapsis helps solve the challenge of validating that patches are correctly applied, giving teams confidence that their remediation efforts have been successful and their systems are secure. This addresses a key hurdle for 57% of organizations.

These capabilities are central to a robust SAP vulnerability management strategy, allowing teams to stay ahead of threats by focusing their efforts where they matter most.

Securing an Expanding and Connected Landscape

As organizations adopt cloud and hybrid models, the #3 threat of insecure connections to other systems has become a major concern. Onapsis provides solutions for secure cloud transformation to ensure consistent security and compliance across the entire SAP landscape. This includes on-premise systems as well as cloud platforms like SAP Business Technology Platform (BTP), providing a centralized view of an organization’s security posture and extending robust security controls to all connected applications. Bridging the Gap Between SAP and Security Teams

A lack of visibility of SAP systems within broader security operations was cited as the second-biggest challenge for organizations. The Onapsis Platform is designed to be the bridge between these siloed teams. Through solutions like Onapsis Control, it enriches security tools like SIEMs and SOARs with critical, easy-to-understand data from the SAP environment. This integration translates complex SAP-specific security events into actionable intelligence that the InfoSec team can use, enabling a unified and more effective threat detection and response process.

The DART Model: A Framework for Your Cybersecurity Strategy

To help organizations structure their planning, the SAPinsider report introduces the DART model. This framework provides a clear and logical way to think about your cybersecurity strategy by breaking it down into four key components: Drivers, Actions, Requirements, and Technologies.

Drivers: What Pushes Your Strategy?

These are the primary business and security pressures that necessitate a robust cybersecurity plan. The top drivers for organizations in 2025 are:

  • The need to protect access to sensitive and confidential data in SAP systems (46%)
  • Pressure to keep systems secure from ransomware and malware attacks (39%)
  • Pressure to keep critical systems and operations online (32%)

Actions: What Steps Should You Take?

Based on those drivers, these are the top actions that organizations are taking to improve their security posture.

  • Regularly implementing patches and updates (53%)
  • Conducting regular audits and security assessments (43%)
  • Integrating SAP system data into Security Operations (43%)

Requirements: What Do You Need for Success?

These are the foundational conditions and practices that organizations identify as essential for securing their SAP environments.

  • Cybersecurity tools that provide consistent protection across cloud and on-premise environments (90%)
  • Fully patched and updated systems (90%)
  • Safe password practices (90%)

Technologies: What Tools Can Help?

These are the specific technologies that organizations are implementing to meet their security requirements and execute their action plans.

  • Continuous Monitoring (56%)
  • Encrypted/Secure Connectivity (47%)
  • Data Encryption (44%)
  • Vulnerability Management (38%)

Next Steps: Get the Full Report and Expert Analysis

The insights highlighted here are just the beginning. For the full context behind the data and a complete breakdown of strategic recommendations, we encourage you to download the complete Cybersecurity Threats and Challenges to SAP Systems report. It provides the in-depth analysis needed to move from understanding the threats to actively building a more resilient defense for your mission-critical systems.

Our Top Recommendations from the Report

The report’s findings point to three clear strategic recommendations:

  • Recruit Strong Executive Support: Gaining leadership support is critical to overcoming operational hurdles like securing downtime for patching and funding user education.
  • Prioritize Protecting Mission-Critical Data: With 92% of SAP data considered critical, generic IT security plans are not enough. A single breach can lead to millions in losses and severe reputational damage.
  • Implement a Disciplined Patching Plan: Unpatched systems have been a top threat for three years straight. It’s essential to overcome patching challenges, as attackers can exploit new vulnerabilities within hours of disclosure.

Watch the Findings in our On-Demand Session

Want to walk through the report’s findings directly with the experts? This on-demand session with Robert Holland of SAPinsider details all of the key insights and discusses strategies to address these challenges.

Watch Webinar