10 Ways to Avoid SAP Security Breaches

Release Dynamix for SAP

During the past few months, there were several high priority SAP security incidents.

An old SAP security vulnerability – caused by unpatched systems – raised the alarm of the United States Department of Homeland Security, resulting in a rare security alert.

The estimated cost of SAP systems taken offline is $4.5 million. Yet, too many organizations think their ERP security is too big to manage, so – until there is a disaster – it gets ignored.

Here are 10 steps you can take to avoid SAP security breaches.

1. Prioritize SAP security

Until there is a disaster, there is a tendency to sweep security under the rug and be reactive instead of proactive. However, there may be security vulnerabilities that you don’t know about and by the time you become aware the damage is already done. According to a paper presented by Onapsis at the RSA Conference in 2015, only half of respondents felt confident that they would discover a breach within a year. Further research shows that 70% of enterprises skip security and compliance audits of their ABAP code. Nevertheless, 60% of IT and IT security professionals fear that the impact of an attack on their SAP applications would be catastrophic.


2. Ensure there is an owner for security issues

If there is a security breach who is responsible? Half of the survey respondents feel that SAP – and no one in their own organization – is responsible for a breach. How can an organization manage that? Another 30% said no one is responsible. Only a small percentage believe that a security breach is the CIO or CISO’s responsibility.

Unfortunately, the dangers of insecure SAP applications are still underestimated by the C-suite, with 63% of C-level executives underestimating the risk associated with insecure SAP applications.

But someone is getting fired if a breach occurs.


3. Keep EHP Updated

One of the most important steps to stay secure is simply to stay up-to-date. Make sure you are running the latest enhancement packs and aren’t lagging several versions behind. While you don’t have to be bleeding edge – there is always a risk in being the early adopter – you also can’t be falling behind. Technology and security standards constantly improve. After several years, SAP stops releasing security updates and fixes.


4. Install SPS

SAP releases periodic Support Package Stacks. Support Package Stacks are support packages and patches for a given product that should be used together. SAP recommends applying these stacks at least once a year and details the maintenance schedule on their website. You can also use Panaya to identify the most critical SPSs for your system.


5. Maintain properly configured systems

In May, the United States Department of Homeland Security issued a security alert that at least 36 organizations are vulnerable due to unpatched misconfigured and outdated SAP systems, putting their entire business at risk. The affected patch affected not only SAP ECC but also SAP SCM and other components of the business suite.

Even though the vulnerability could be easily switched off, as Reuters reported, “SAP fixed the issue, but left the decision over whether to switch off an easy access setting up to its customers, who may sometimes place a higher priority on keeping their business-critical SAP systems running than on applying security updates.”

“This is not a new vulnerability,” Mariano Nunez, chief executive of Onapsis, told Reuters. “Still, most SAP customers are unaware that this is going on.”


6. Ensure your SAP applications are updated

The vulnerability mentioned above affected not only SAP ECC but also many other components of the business suite.  Make sure you are also keeping your SAP applications patched and up-to-date. They shouldn’t lag behind your SAP ECC.

For example, if you are running SAP SCM you can use Panaya CloudQuality™ Suite to inspect your system with crowd-based insights, see where you stand, what needs updating and know how to change.


7. Return to standard

Custom code is code that is not updated and code that is not patched. Custom code opens the door to risks. Much of your custom code is unused.  As programming languages update standards and your SAP applications are updated over the years, it’s important not to accrue vulnerable technical debt in custom legacy code.

By eliminating your unused code and reverting back to the standard installation, you can reduce the risk of a security vulnerability.


8. Run frequent health checkups

According to the Ponemon Institute, organizations have limited visibility “into the security of SAP applications and many do not have the required expertise to quickly prevent, detect and respond to cyber attacks.”

Early detection is the key to staying secure. Just as healthy people need annual checkups and preventative medicine to stay healthy and detect issues early, frequent checks of your ERP system helps you gain full visibility and understanding of your ERP landscape before making changes as well as identify where you are falling behind. With frequent health checkups, you can identify security gaps.


9. Stay Alert

Stay alert. 47% of survey respondents believe that the frequency of attacks against their SAP infrastructure will increase over the next two years. Yet, 75% of IT professionals already think that their SAP platforms already have at least one malware infection and are ignoring them.


10. Embrace the Digital Transformation

The era of waterfall is over. Infrequent releases are not the way of the world anymore. Agility has won. By embracing the digital transformation, getting fast and frequent feedback, organizations can quickly respond to critical security issues. This ensures that security issues don’t get ignored and crisis is averted.