SAP is one of the world’s leading tech brands. Responsible for producing cutting edge customer relationship management and tracking tools for businesses of all kinds, the German company has a presence on every continent. It’s no exaggeration to say that, without SAP’s products, the world of “just in time” delivery and lean management would be unimaginable.
Because of this, any security flaws in SAP products is a massive deal. Unfortunately, the past few years have seen rising hacker threats to SAP applications, leading to in-depth discussions about how (and whether) they can be secured in the future.
This article will look at why this matters, what kind of threats are occurring, and how organizations can secure SAP apps and the data they process.
SAP: creating a new era of data processing, and new cyber-threats
Based in Walldorf, Germany, SAP has around 400,000 clients spread across the globe. It operates in numerous sectors, delivering services like CRM, ERP, cloud storage, and generalized data handling solutions.
As well as becoming a global leader in cloud-based storage (in cooperation with IBM), the company has branched out into the Internet of Things, offering its data processing expertise, alongside AI-based machine learning. Put together, this suite of services makes SAP a go-to provider for the nuts and bolts IT required to run many modern businesses.
However, this also leads to a dependency on SAP which can present additional risks. Whenever large amounts of information pass through applications, sensors, and storage solutions, there is a risk of a data breach taking place. And that’s why SAP’s security is constantly under the microscope.
It’s vital to understand the risks before it’s too late. Don’t let your organization take a place on lists of worst data breaches of 2019.
What security risks are associated with SAP products?
When security experts have peered into the microscope, the results haven’t necessarily been pretty. SAP’s applications have experienced a sharp rise in malicious cyberattacks in recent times that all clients need to be aware of.
The first signs appeared in 2012 when the hacking group Anonymous broke into SAP systems held by Greece’s Ministry of Finance, coming away with a number of credentials for ministry employees.
Soon after, special SAP malware started to appear. One of the malware samples used screen-grabbing techniques to capture banking information and certificates. It also used keylogging to harvest password data.
In other cases, older vulnerabilities have re-emerged from nowhere. For example, 2014 saw an attack on GPU-maker NVidia using an old SAP NetWeaver vulnerability. Apparently, NVidia had simply failed to implement an SAP approved patch, leading to a huge customer service data breach.
Then came the biggest SAP-related security alert yet. The US Department for Homeland Security released a US-CERT alert regarding the safety of ERP systems, with a focus on SAP. This alert documented as many as 36 separate illicit intrusions into corporate SAP systems from 2013-2016 – putting millions of records at risk.
Since then, the attacks and alerts have continued. In 2018, the US National Cybersecurity and Communications Integration Center released a damning report on ERP security, citing: “A rapidly rising interest by hacker activists, cybercriminals and government spy agencies” in raiding vulnerable ERPs.
According to the report, at least 10,000 major organizations are running vulnerable SAP implementations, and there are 4,000 separate bugs in SAP packages that attackers can exploit.
Moreover, as Gartner’s Neil McDonald puts it: “Publicly disclosed attacks are rare, so the problem remains largely ignored.” There’s often an unwillingness to admit weaknesses, both to safeguard share prices, resist expensive remedial investments, and ward off potential attackers. That’s actually a recipe for continuing attacks.
Why are these SAP cybersecurity threats so challenging?
There are several reasons why SAP clients are vulnerable to cyberattacks:
- Large attack surface. When numerous IoT, networks, and storage tools are connected in SAP systems, this can present an appetizing target for hackers, and securing all systems can be challenging.
- Tempting targets. Hackers know that when clients implement SAP solutions, they do so because they need to manage high-value data flows, so it’s usually worth expending effort to hack into these networks.
- Poor updating procedures. SAP solutions need to be patched and updated regularly, just like any other IT solution. These patches aren’t always implemented, raising the risks associated with cyberattacks. Companies often resist the need to patch, preferring to avoid the hassle of disrupting CRM or payment systems – sometimes with devastating results.
- Poor cybersecurity strategy. In some cases, companies choose to implement costly SAP solutions but fail to couple this with an investment in cybersecurity. A few technicians may be familiar with the risks but security knowledge may be lacking in the wider corporate structure.
- Careless employee behavior. This feeds into a final risk-magnifier. Many firms rely on SAP software but have outdated employee security policy, leading to lax password and general network security.
Are these cyberattacks and vulnerabilities a big deal?
While we know that there have been numerous reported, and even more unreported attacks involving SAP systems, the scale of the threat may not be clear. But it’s important, to be honest about this: anyone who uses SAP software and doesn’t invest in security solutions is running a risk.
The average cost of SAP security breaches is estimated at $5 million per attack, and the risks are growing. According to these figures, there was a 100% increase in publicly known SAP exploits between 2017 and 2018. And off-the-shelf ERP hacking tools like Dridex are commonplace among hackers and hacktivist groups.
Given that situation, managers who use SAP-based ERP or CRM systems should plan for an attack on a “when”, not an “if” basis. Being prepared is non-negotiable unless you are happy to suffer crippling reputational and financial risks.
How can SAP customers minimize the risks of a catastrophic data breach?
We’ve touched on a few solutions already, but it’s worth treating them in more detail before we conclude.
- Patches and updates
Above all else, it’s essential for SAP clients to update their systems systematically, just as SAP representatives themselves recommend. It may be tempting to resist updates, especially if your systems require downtime when patches are installed. But that’s a huge error. SAP devs work hard to counter exploits as they appear, and as NVidia’s case demonstrated, even years-old weaknesses can come back to haunt lazy users. It’s also worth noting that SAP site offers a service called Support Packs, which combine multiple patches. They can be a good way to catch up on long periods of missed updates.
- Schedule regular SAP audits
It’s also really important to ensure that the code which underlies SAP systems is fit for purpose. SAP’s software tends to use a language known as ABAP, and this can pose problems for some companies. Relatively few organizations possess the skills required to audit ADAP code, so many shut their eyes and pray. Don’t do that. If necessary, bring in ABAP auditors.
- Don’t always rely on SAP, be proactive
Thirdly, don’t assume that, because it is a reputable tech company, SAP will always automatically apply security updates and ensure that clients are protected. In 2018, when the various exploits became well-known, SAP released a series of patches designed to switch off vulnerabilities. But this “switch” was left up to users to implement, even if the updates were installed. So be proactive. Contact your SAP representative to ask about plugging security gaps. They should be happy to help.
- Tighten up employees’ security skills
As we discussed above, human error can be a major threat to SAP systems. For instance, indiscipline staff members are more likely to click on unsolicited attachments in suspicious emails, which can lead to virus infections. Small undetected infection can lead to a serious data breach. So, train staff regularly to adopt healthy security habits. It sounds simple, but many companies neglect these security basics – to their cost.
Data breaches, fraud, ransomware, theft of sensitive information – all sorts of nasty surprises lie in store for SAP users if they don’t improve their security posture. There’s no reason to migrate away from SAP’s products, but it’s vital to use them as safely as possible. In a world of multiplying security threats, poor SAP security is a mistake most organizations simply cannot afford to make.