Press Release

Ponemon Institute Study Reveals Risk of Cyber Attacks to Oracle E-Business Suite Drastically Underestimated by C-Suite

TRAVERSE CITY, MI., and BOSTON, MA., August 30, 2017 (Business Wire) – Ponemon Institute today released the results of the industry’s first research survey on Oracle E-Business Suite (EBS) cybersecurity, sponsored by Onapsis. This survey demonstrates that a majority of companies surveyed, 70 percent, believe it is likely their company would have a data breach due to insecure Oracle E-Business Suite (EBS) applications. This same group indicates their company’s Oracle platform has been breached an average of two times in the past 24 months – and they expect the frequency, stealth and sophistication to significantly increase. Yet 73 percent indicate C-level executives tend to underestimate the risks associated with insecure Oracle EBS applications, rated by study participants as the most, or one of the most, critical applications to their operations.

This perception gap is furthered by the limited visibility organizations have into the security of Oracle EBS applications – a surprising blind spot given that 60 percent of respondents say the impact of information theft, modification of data and disruption of business processes would be catastrophic (16 percent) or very serious (44 percent) and could lead to an average cost of $5M.

Additionally, underscoring the global workforce challenge, 43 percent of organizations don’t have the required security expertise to prevent, detect and respond to a cyber attack targeting Oracle EBS applications.

Other findings include: Breaches Not Detected: 79 percent of participants are not confident they could detect an Oracle EBS breach immediately; even a year later, 44 percent do not believe they could detect a breach.

  • Lack of Ownership: 20 percent of respondents believe that no one is accountable internally for the security of Oracle EBS applications and 63 percent believe Oracle is responsible.
  • Patching Challenge: 25 percent of respondents say they only apply security patches with functional upgrades, which could render systems insecure for long periods of time. And less than half, 30 percent, of organizations have a monthly plan to implement security patches.
  • Increasing Complexity: New technologies and trends such as cloud, mobile, big data and IoT are expected to further impact risks to their Oracle E-Business Suite applications.

This research is the second in a series of studies with the purpose to understand how companies are managing the new category of security for business-critical applications such as SAP and Oracle, the systems that run the world’s largest businesses.

“One of the big surprises in this study is while over half of C-level executives place Oracle E-Business Suite applications in the top five most critical applications, they are not taking appropriate steps to secure these systems,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Additionally, it is worrying that most would not be able to detect an attack to these applications if it were to happen and that ownership appears to be falling through the cracks between IT and InfoSec teams.”

With just under 600 qualified respondents, the research titled “Uncovering the Risks of Oracle E-Business Suite Cyber Breaches” is the first significant study of both IT and InfoSec professionals tasked with protecting their Oracle E-Business Suite applications. Oracle EBS is the most comprehensive suite of integrated, global business applications which span operations such as Customer Relationship Management (CRM), Finance Management, Human Capital Management, Supply Chain Management, Procurement and many others.

“Oracle EBS represents the perfect economic target for cybercrime organizations and nation-state hackers and, compounding the problem, vulnerabilities to these applications are on the rise. With Business-Critical Application Security now becoming an established market and a boardroom topic, it is more important than ever for organizations to take measures to secure these SAP and Oracle applications,” said Mariano Nunez, CEO of Onapsis. “Understanding the threats targeting these critical applications is the first step, but not acting on these threats can have dire consequences. Organizations need to align their internal teams to build a governance model to secure these critical applications that their businesses rely on.”

The full report, which also outlines the Top 11 actions to make Oracle EBS applications more secure, is available for download by clicking here.

On Tuesday, September 26, Onapsis and Ponemon Institute will host a webcast to further discuss the study findings. To register click here..

About The Ponemon Institute

The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About Onapsis

Onapsis cybersecurity solutions automate the monitoring and protection of your SAP applications, keeping them compliant and safe from insider and outsider threats. As the proven market leader, global enterprises trust Onapsis to protect the essential information and processes that run their businesses.

Headquartered in Boston, MA, Onapsis serves over 200 customers including many of the Global 2000. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, Deloitte, E&Y, IBM, KPMG and PwC.

Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs.

These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms. Onapsis has been issued U.S. Patent No. 9,009,837 entitled “Automated Security Assessment of Business-Critical Systems and Applications,” which describes certain algorithms and capabilities behind the technology powering the Onapsis Security Platform™ and Onapsis X1™ software platforms. This patented technology is recognized industry wide and has gained Onapsis the recognition as a 2015 SINET 16 Innovator.

For more information, please visit, or connect with us on Twitter, Google+, or LinkedIn.

Onapsis and Onapsis Research Labs are registered trademarks of Onapsis, Inc. All other company or product names may be the registered trademarks of their respective owners.


Media contacts:

Leslie Kesselring, Kesselring Communications


[email protected]