Views from UKISUG 2019: The SAP Security Frontline
On a cold, bright day in the UK, Birmingham played host to one of the highlights of the annual SAP calendar: the UKISUG 2019 conference, providing an opportunity for SAP providers, associated organizations and users to talk shop on all things SAP. Whether you were concerned with using it as a method of streamlining payroll, the security of the system in general or anything in between, there was a talk, round table or discussion for you.
Coming at SAP from a security perspective, before attending the Onapsis session, we attended one hosted by Robin Gaddum of Deloitte’s Risk Advisory Division. His talk, entitled Business Continuity, Planning to Protect Against Attack Discussed cybersecurity in the context of wider business risk. He stated that cybersecurity is a top 5 threat at the board level, and companies can often be collateral damage by nation-state attacks. In 2018, cyberattack was #5 in likelihood and #7 on impact. He also described what he calls a ‘shock and awe moment’ when ransomware hits. It’s not something that is in the standard IT providers playbook, using the crippling 2017 NotPetya attack as his example.
Robin then moved onto what to do in a situation where an attack has happened, summarising by asking the following questions:
- Who runs it? If it’s one person, they may still sell your data.
- How big is it?
- How do you test it?
- How long will it take to restore?
Following this enlightening session from Robin, we turned our attention to the reason for our attendance: Protecting the Business: How Cargill Achieves Cyber Resiliency – Paul Stamp (Director of product management at Onapsis) and Steve Windsor (Cargil). This talk aimed to explain the role Onapsis provides for a huge organization like Cargil, as well as drawing attention to the disconnect between most security professionals and the prevalence of SAP. 77% of global GDP passes through ERP systems, of which SAP comprises a significant chunk, yet they are relatively unknown to most security professionals.
Steve then described the key challenges associated with a global produce transporter such as Carhill from a security perspective:
- Managing change—Change in code, risk of change or not changing at all
- Compliance—What do we need to do to become compliant? How do we implement it?
- Expensive and time-consuming methods are not good enough.
- Continuous monitoring for new threats, who is trying to exploit your business?
Steve and Paul went on to describe how Onapsis can help with this: leveraging multiple checksand policies, fostering a culture of collaboration where Onapsis helps to disclose vulnerabilities(over 500 across SAP and Oracle), but Cargil takes responsibility for leveraging the information and advice Onapsis provides. This relationship creates a partnership, as opposed to a vendor/customer relationship.
All in all UKISUG 2019 provided an opportunity to understand the scale of SAP and its importance, and how deeply embedded it is across all business functions.