Ransomware Attacks on SAP: Key Insights from Our Fireside Chat with Turnkey

SAP systems have experienced a 400% increase in ransomware threats since 2021. This staggering statistic, reported by Onapsis and Flashpoint in their latest Threat Report, illuminates the critical need for organisations running SAP to recognise and address these risks. But why are these attacks on the rise and how can you protect your business? 

Turnkey recently sat down with Onapsis to discuss into the growing dangers of ransomware involving SAP systems and data. In this article, we revisit the conversation between two of Turnkey’s senior-most cybersecurity experts, Andrew Morris and Harshini Carey, and Onapsis Chief Technology Officer, Juan Pablo Perez-Etchegoyen. Read on for comprehensive insight into the vulnerabilities that facilitate ransomware attacks on SAP systems and the best practices from prevention techniques to effective response strategies. 

The fireside chat has been lightly edited for length and clarity. Here’s a Q&A breakdown of the key points discussed during the session: 

Harshini: How can CISOs and CIOs bridge the SAP gap and work together to secure the IT landscape? Considering that the corporate crown jewels sit within the SAP landscape, what are your thoughts on this collaboration? 

JP: Certainly, the question covers a lot of angles, so I’ll try to be brief. Organisations need to secure thousands of endpoints, servers, applications, and devices. Within this vast IT landscape, the SAP environment may seem small – just a few servers. However, from a business perspective, SAP supports the entire business, especially for SAP customers. If an SAP application goes down, it can mean a significant loss for the organisation. 

Historically, the SAP security team has been in place, so everyone assumed they handled all aspects of security. However, the SAP security team typically focuses on identity provisioning, roles, profiles, and authorisations. When it comes to cyber threats and risks, this is a different domain that the SAP security team may not be equipped to handle effectively. Meanwhile, the IT security team might not understand the complexities of SAP technologies. 

We’ve seen many success stories of organisations accelerating digital transformations, cloud adoption, and risk reduction cost-effectively through better communication and understanding. However, because SAP security was not considered comprehensively, there were also ransomware attacks, breaches, and other events in 2023. To close this gap, CISOs and CIOs must see SAP security as a crucial component of total cybersecurity. 

Andrew: This is a topic we often discuss with many of our clients. Every application used by a business is important, but stakes are higher for crown jewel applications such as SAP. If SAP goes offline, the entire organisation can be impacted as significant portion of the revenue often flows through it. To the business, it’s considered one of the most important. However, from CISOs or CIOs perspective, SAP can be seen as a just small part of their IT landscape. 

To bridge the gap, effective communication and good Business Impact Assessments are the first step to understand where critical assets lie in an organisation. For SAP, it’s not enough to assume that the SAP security team is handling everything. Typically, the SAP security team focuses on roles, authorisations, and segregation of duties, but they unlikely to be involved in areas like detection, response, vulnerability management, and patching, which are often outsourced and handled by separate teams. 

Education and understanding the critical risks and controls are key. It’s important to know what security measures are currently in place to identify any gaps and determine the next steps to ensure comprehensive protection of the SAP landscape. 

Harshini: Have we ever seen SAP vulnerabilities being managed by the SAP authorisations team or is it normally part of cyber vulnerability?

Andrew: Typically, the cybersecurity team manages the process, ensuring that every application undergoes vulnerability scanning and that there’s an action plan to address any issues. With SAP, there are often exceptions and complexities, in some cases, addressing vulnerabilities may require multiple teams. 

For instance, parameter changes might require input from the basis team and could necessitate a system restart, which means the entire business needs to agree on downtime. Additionally, developers may need to fix vulnerable code that has been in the SAP system for years. Other teams might need to assess whether to disable certain interfaces or APIs. This is one reason why major upgrades, like moving to S/4HANA, are crucial for eliminating technical debt as the system can be rebuilt with security in mind. Ultimately, the process involves combining the cybersecurity team and SAP Security team to remediate the risk.  

JP: We’ve seen a bit of a mix, and, as Andrew mentioned, it really depends. There needs to be a clear definition of who owns the responsibility for detecting and managing vulnerabilities. Typically, this falls to the cyber team. However, in some cases, someone from the SAP application team also has visibility and responsibility for vulnerabilities and risks. 

Ultimately, the SAP team, including basis developers and the business side, plays a crucial role in addressing these issues. While the IT security or cyber security teams often have visibility, the responsibility is shared among all stakeholders, including the SAP team, cyber security, and more. It’s a collaborative effort to ensure that all aspects of SAP security are effectively managed. 

Harshini: What are the best strategies and mitigation steps to prevent vulnerabilities from being exploited within the SAP environment?

JP: It starts by being purposeful about it. Ultimately, the CISO is the go-to person when it comes to cyber risks in the organisation, but vulnerabilities and threats to SAP often fall into a gap within the IT security team. 

Being purposeful means integrating SAP into your existing vulnerability management programs, threat detection, and continuous monitoring programs to start addressing the issues within your system. We have numerous success stories of organisations implementing technologies with the help of partners like Turnkey. This provides guidance for integrating SAP security into your broader cybersecurity strategy. 

Adopting a shared responsibility model to address security vulnerabilities is a good start. This model outlines what security responsibilities fall on your organisation versus the provider’s. 

Andrew: Managing vulnerabilities involves many teams, which is part of the challenge. BASIS, SAP security team, Developers, and Service Delivery all have responsibilities in managing the SAP system.  

Rather than reinventing the wheel and adding more teams and complexity to create new processes, leverage those existing processes used by the Cyber Security function. Use tooling and third parties to enhance knowledge and educate the cybersecurity team on SAP threats and vulnerabilities. By integrating SAP security into existing programs, you have a better chance at making sure they are managed effectively.  

In some cases, patching is carried out annually. But security now demands more frequent updates, so it is essential to keep up. Take your time to understand where you are, identify gaps, and determine what needs to be done to address them. This holistic approach will help you manage vulnerabilities, issues, and risks.  

Understanding ownership is crucial. The CISO is traditionally accountable for cybersecurity risks, but they might lack budget for specific SAP security tooling. Ensure all relevant stakeholders are on board with funding and understand the importance of these security measures. Ultimately, ensuring the business can operate through cyber-attacks is key to success.  

 
View the full Fireside Chat for more insights or get in touch to discuss how Turnkey and Onapsis can help you protect your SAP systems.