SAP Customer Survey Reveals False Sense of Security

Many SAP customers have a false sense of security, according to a new report from risk management consultancy Turnkey Consulting and business-critical application security firm Onapsis.

The SAP Security Survey Report 2021 is based on information from over 100 SAP customers in the United States, Europe and Asia.

Six percent of respondents admitted suffering a data breach related to SAP systems in the past couple of years, but nearly a quarter said they were not sure, which indicates that they may not have the ability to detect such a breach.

More than 40% of respondents are most concerned about internal fraud or misuse, 26% about data loss or data breaches, and only 14% about external attacks.

Roughly 45% of respondents believe — at least to some degree — that SAP is secured against cyber threats due to it sitting on the organization’s network.

Turnkey’s application and cyber security practice director, Tom Venables, noted that malicious actors have increasingly realized that SAP systems often contain valuable information. In addition, a study conducted recently by SAP and Onapsis showed that threat actors often start targeting vulnerabilities in SAP applications within days after a patch is made available.

On the other hand, only 28% of respondents could confirm that they have a vulnerability management program for SAP systems, and only half of those who took part in the survey are confident that their SAP systems are always patched.

“The overarching finding of this survey is that many SAP customers are operating under a false sense of security,” the report says. “Despite the fact that a small majority agree that SAP isn’t fully protected within the internal network, the threat from outside is not being taken quite as seriously as it should be.”

When asked if they review custom SAP code for security and quality issues, roughly half of respondents said they do, but many rely on manual reviews, which, according to Venables, is time consuming and prone to human error.

More than half of respondents also don’t — or they aren’t sure if they do — review third-party code before importing it into SAP systems. And only 53% are confident their organization can detect problematic or insecure custom code before it reaches production systems.

Code reviews are important considering that the custom code used by SAP customers, according to the authors of the report, has, on average, roughly 2,500 vulnerabilities.

Nearly 37% of respondents confirmed experiencing SAP downtime due to coding issues.

The full SAP Security Survey Report 2021 is available in PDF format on Turney’s website.

Related: ‘RECON’ Vulnerability Exposes Thousands of SAP Systems to Attacks

Related: Another Critical Vulnerability Patched in SAP Commerce