We surveyed close to 200 security leaders at this year’s RSA Conference to gauge their basic understanding about securing ERP systems and how organizations are managing this increasing challenge. Our research shows that 88% of respondents indicated that if ERP systems were breached, the impact would be serious to catastrophic. Only a small percentage considered it not serious or with nominal impact.
We also asked how long would it take their organization to detect the incident. The results were surprising, with 17% of people saying they would immediately detect it, close to 50% saying it would be within a week and a month, and 16% saying it would take longer than a year.
I thought it would be interesting to compare these findings with the results from Verizon’s Data Breach Investigations Report. There are a lot of similarities in the time it takes individuals to discover a breach (all breaches, not just ERP-related ones).
As expected, many CISOs and IT Security professionals are responsible for securing their ERP systems. Almost half of our respondents indicated that the CISO or the information security team have primary responsibility for protecting ERP systems. 14% indicated that the CIO leads their security efforts for ERP and we suspect this indicates a chain of command where CISOs most likely report to CIOs. There are not many organizations with a dedicated ERP security team and only 10% of the respondents say that their ERP teams have primary responsibility for securing these systems.
What we’ve observed from our experience helping some of the largest organizations in the world is that securing SAP and Oracle EBS systems is a cross-functional effort that requires the help of ERP administrators, cybersecurity teams and executive alignment. We suspect this collaboration will be even more essential in the future, especially as there has been a 100% increase in exploits for SAP and Oracle systems in the past three years (more on this in the ERP Applications Under Fire: How cyberattackers target the crown jewels).
If you didn’t get a chance to see us at RSA this year and would like to participate in the survey, you still can! Share your responses here and we will continue to gather the results in order to enhance our ERP security offerings.