Despite the fact that IT professionals and CISOs understand the seriousness of cyber security threats, there's still a major communication gap when it comes to who needs to own SAP security.
Despite the highly publicized cyber attacks on companies of all scale - including massive enterprise organizations - executive management continues to overlook one of the most highly sensitive aspects of enterprise IT - their SAP applications. What's more is that while for many in the C-suite who may not understand the technical aspects and ramifications of an SAP breach, it's also often overshadowed within the IT department, even though they understand well the risks involved with potential security exploits and software flaws. The problem is that SAP applications are designed to run critical IT systems, often housing sensitive company data, customer records, and other files that can cause a lot of damage to a company if they're hacked into.
So why does SAP security almost always get pushed to the back burner when it comes to managing cyber attacks? It's not that SAP systems are impenetrable. Quite the opposite - SAP has released 108 patches (or Security Notes) in the last six months alone - 29 of which were rated "high" or "very high" priority.
The most likely explanation is that it's mostly due to a misunderstanding that's been happening for almost as long as SAP has been around. And that's the question of where the responsibility for managing SAP security falls - with the enterprise company or with SAP. If you don't believe us, you only have to look as far as a 2016 report by the Ponemon Institute that found that a jaw-dropping 54% of enterprise organizations believed that it was the responsibility of SAP to manage SAP security. Given that a large percentage of SAP applications have custom code designed to meet a company's exact specifications, it's surprising that most organizations think that the responsibility to keep their custom SAP software lies with SAP. This kind of mindset is not only making it easier for cyber criminals to find entry points into highly sensitive IT systems, but it's also putting companies, their customers, and their shareholders at risk. Unfortunately, most companies don't seem to see it that way.
To make matters worse, the same report from Ponemon found that even though SAP consistently puts out security notes to patch vulnerabilities within their code, many organizations don't bother to deploy the security patches due to a reluctance to interrupt critical business systems. Instead, many of them wait until they're scheduled to do functional upgrades, often as infrequently as once or twice a year.
How Big of a Problem is SAP Security?
Given that many IT professionals and CISOs understand the massive risks involved with lagging SAP security, they're not as bullish on their ability to detect an SAP application breach. Only 25% of enterprise respondents were confident about being able to find an SAP breach immediately. Most organizations (a full 53%) felt confident that they would be able to find an SAP security breach within a year, giving cyber criminals more than enough time to critically damage a company to the point of not being able to recover.
Even still, IT professionals fully expect to see an increase in SAP security breaches and more sophisticated attacks. And without putting more money and effort into improving SAP security, enterprises will keep putting themselves and their customers at risk.