10 Ways to Avoid SAP Security Breaches

SAP Security

Business Hyperconnectivity creates new challenges in security and risk. We love getting the goods we want as quickly and inexpensively as possible. But it takes a lot of data sharing between totally separate systems and companies to make it work.

Forrester researchers found enterprise data strategy continued to be a top initiative for executives, because “it’s critical in unlocking a firm’s digital transformation — and necessary to take advantage of AI and machine learning.” They predicted advanced companies will double their data strategy budget. Gartner analysts listed “transparency and traceability” in that firm’s Top Ten Strategic Technology Trends for 2020. They said highly connected systems in smart spaces will increase opportunities for business transformation.

Remote SAP Testing

SAP on the Defense

However, as analysts firms are reviewing investment trends, SAP experts are preoccupied with implications on their systems’ vulnerabilities. A recent Onapsis report determined that some 50,000 companies are running vulnerable SAP systems.

Only recently, SAP itself had to apologize to the government of New Zealand after a massive data breach revealed the details of gun owners’ names, addresses and firearms.

The breach was down to a change in user access given to dealers participating in the buyback scheme, and while there was no hacking involved, 66 dealers were able to access sensitive information.

SAP is supposedly reviewing and developing encryption and security solutions. All the while, it is directing its clients once again to security alerts, stressing the need for proper system configurations, and emphasising that security is a collaborative process.


You might also like our blog
SAP S/4HANA Migration Guide


Making SAP Security a Priority at Your Organization

Organizations across the value chain, from farms and factories, to shippers, wholesalers and retailers, are constantly attempting to balance the sharing of information with having control over it.

64% of IT decision makers have reported a breach in their ERP systems in the past year, according to the IDC survey of 430 IT decision makers. While the majority of survey respondents agree that ERP applications are ‘critical’ to business operations, 62 percent believe that their ERP applications have critical vulnerabilities despite an attention to patching.

Here are 10 steps you can take to avoid SAP security breaches

1. Ensure There Is an Owner for Security Issues

If there is a security breach who is responsible? Half of an Onapsis survey respondents feel that SAP – and no one in their own organization – is responsible for a breach. How can an organization manage that? Another 30% said no one is responsible. Only a small percentage believe that a security breach is the CIO or CISO’s responsibility.

Unfortunately, the dangers of insecure SAP applications are still underestimated by the C-suite, with 63% of C-level executives underestimating the risk associated with insecure to SAP applications. But someone is getting fired if a breach occurs.

2. Keep EHP Updated

One of the most important steps to stay secure is simply to stay up-to-date. Make sure you are running the latest enhancement packs and aren’t lagging several versions behind. While you don’t have to be bleeding edge – there is always a risk in being the early adopter – you also can’t be falling behind. Technology and security standards constantly improve. After several years, SAP stops releasing security updates and fixes.

3. Install SPS

SAP releases periodic security solutionsas Support Package Stacks. Support Package Stacks are patches for a given product that should be used together. SAP recommends applying these stacks at least once a year and details the maintenance schedule on their website. You can also use Panaya to identify the most critical SPSs for your system.

4. Ensure Code Quality

The proportion of proprietary developments in SAP systems averages over 30 percent in some industries. With statistics showing one critical security defect per 1,000 lines of ABAP® code.

SAP system performance can be adversely affected. In fact, a typical SAP system contains 2,151 risks, and with 70% of enterprises regularly skipping security and compliance audits of their ABAP custom code, their SAP system is exposed to major threats.

Securing your code can be simplified. Organizations no longer need to take on major security projects that require extra IT time, budgets and manpower. By analyzing your code prior to an upgrade, you can identify and prioritize all risk and issues and how to address them before you begin an upgrade.

Automatically combine coding and quality assurance into a single activity to eliminate code instability with predefined ABAP standards for security, performance, maintainability, robustness and compliance.

Finally, be sure to keep only the custom code that you use. Redundant unused custom code increases the efforts in unneeded code corrections, and introduces undue risks.


You might also like our blog
SAP® Development: Dodging the Dangers of Customization


5. Maintain Properly Configured Systems

In May, the United States Department of Homeland Security issued a security alert that at least 36 organizations are vulnerable due to unpatched misconfigured and outdated SAP systems, putting their entire business at risk. The affected patch affected not only SAP ECC but also SAP SCM and other components of the business suite.

Even though the vulnerability could be easily switched off, as Reuters reported, “SAP fixed the issue, but left the decision over whether to switch off an easy access setting up to its customers, who may sometimes place a higher priority on keeping their business-critical SAP systems running than on applying security updates.”

“This is not a new vulnerability,” Mariano Nunez, chief executive of Onapsis, told Reuters. “Still, most SAP customers are unaware that this is going on.”

6. Ensure Your SAP Applications Are Update

The vulnerability mentioned above affected not only SAP ECC but also many other components of the business suite.  Make sure you are also keeping your SAP applications patched and up-to-date. They shouldn’t lag behind your SAP ECC.

For example, if you are running SAP SCM you can use Panaya ECC Impact Analysis to inspect your system with crowd-based insights, see where you stand, what needs updating and know how to change.

7. Return to Standard

Custom code is code that is not updated and code that is not patched. Custom code opens the door to risks. Much of your custom code is unused. As programming languages update standards and your SAP applications are updated over the years, it’s important not to accrue vulnerable technical debt in custom legacy code.

By eliminating your unused code and reverting back to the standard installation, you can reduce the risk of a security vulnerability.

8. Run Frequent Health Checkups

According to the Ponemon Institute, organizations have limited visibility “into the security of SAP applications and many do not have the required expertise to quickly prevent, detect and respond to cyber attacks.”

Early detection is the key to staying secure. Just as healthy people need annual checkups and preventative medicine to stay healthy and detect issues early, frequent checks of your ERP system helps you gain full visibility and understanding of your ERP landscape before making changes as well as identify where you are falling behind. With frequent health checkups, you can identify security gaps.

9.Stay Alert

Stay alert. 47% of survey respondents believe that the frequency of attacks against their SAP infrastructure will increase over the next two years. Yet, 75% of IT professionals already think that their SAP platforms already have at least one malware infection and are ignoring them.

10. Embrace the Digital Transformation

The era of waterfall is over. Infrequent releases are not the way of the world anymore. Agility has won. By embracing the digital transformation, getting fast and frequent feedback, organizations can quickly respond to critical security issues. This ensures that security issues don’t get ignored and crisis is averted.

Remote SAP Testing

Start changing with confidence

Book a demo
Skip to content