Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

SAP Customer Survey Reveals False Sense of Security

Many SAP customers have a false sense of security, according to a new report from risk management consultancy Turnkey Consulting and business-critical application security firm Onapsis.

The SAP Security Survey Report 2021 is based on information from over 100 SAP customers in the United States, Europe and Asia.

Many SAP customers have a false sense of security, according to a new report from risk management consultancy Turnkey Consulting and business-critical application security firm Onapsis.

The SAP Security Survey Report 2021 is based on information from over 100 SAP customers in the United States, Europe and Asia.

Six percent of respondents admitted suffering a data breach related to SAP systems in the past couple of years, but nearly a quarter said they were not sure, which indicates that they may not have the ability to detect such a breach.

More than 40% of respondents are most concerned about internal fraud or misuse, 26% about data loss or data breaches, and only 14% about external attacks.

Roughly 45% of respondents believe — at least to some degree — that SAP is secured against cyber threats due to it sitting on the organization’s network.

Turnkey’s application and cyber security practice director, Tom Venables, noted that malicious actors have increasingly realized that SAP systems often contain valuable information. In addition, a study conducted recently by SAP and Onapsis showed that threat actors often start targeting vulnerabilities in SAP applications within days after a patch is made available.

On the other hand, only 28% of respondents could confirm that they have a vulnerability management program for SAP systems, and only half of those who took part in the survey are confident that their SAP systems are always patched.

“The overarching finding of this survey is that many SAP customers are operating under a false sense of security,” the report says. “Despite the fact that a small majority agree that SAP isn’t fully protected within the internal network, the threat from outside is not being taken quite as seriously as it should be.”

Advertisement. Scroll to continue reading.

When asked if they review custom SAP code for security and quality issues, roughly half of respondents said they do, but many rely on manual reviews, which, according to Venables, is time consuming and prone to human error.

More than half of respondents also don’t — or they aren’t sure if they do — review third-party code before importing it into SAP systems. And only 53% are confident their organization can detect problematic or insecure custom code before it reaches production systems.

Code reviews are important considering that the custom code used by SAP customers, according to the authors of the report, has, on average, roughly 2,500 vulnerabilities.

Nearly 37% of respondents confirmed experiencing SAP downtime due to coding issues.

The full SAP Security Survey Report 2021 is available in PDF format on Turney’s website.

Related: ‘RECON’ Vulnerability Exposes Thousands of SAP Systems to Attacks

Related: Another Critical Vulnerability Patched in SAP Commerce

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...