This is the overall conclusion of the SAP Security Survey Report 2021 undertaken by risk management consultancy Turnkey Consulting and Onapsis, a specialist in application cybersecurity and compliance solutions.
Only 14.3 percent of respondents believe an external attack is the greatest risk to their SAP environment, despite digital transformation, cloud-first approaches, and mobile access increasing the levels of external threat faced by SAP systems. 40.8 percent believe internal fraud is the biggest threat, 26.5 percent say a data loss or breach, 12.2 percent opt for systems downtime, and 6.1 percent are not sure.
The average SAP customer will have around 2,500 vulnerabilities within their custom code (programs created to tailor the SAP system for their specific needs), but 36.7 percent of respondents don’t review this code for security and quality issues. An equal number (36.7 percent) carry out reviews, but do so manually, an approach that is slow and error-prone. 32.7 percent do not review code developed by third parties before it is imported into their SAP system, while 20.4 percent are not sure whether they do. The 36.7 percent of survey respondents that had experienced downtime in their SAP landscape as a result of coding issues highlights the vital importance of review activity.
False sense of security
The research covered a range of questions that looked at how prepared customers were to deal with outside threats; most specifically it explored the perception that SAP systems are protected because they are within the internal network, and how this belief influences attitudes to external risks. Other key findings include:
- 18.4 percent agree with the statement that “SAP is within our network, and so is secured against cyberthreats”, while 26.5 percent are not sure. 51 percent do not believe this to be the case and 4 percent don’t know. It should be noted that those that are confident about being fully secured have the right tools and monitoring in place, or low levels of internet-facing activity.
- Only 28.6 percent can confirm they have an SAP vulnerability management program in place.
- Only 28.6 percent can say for certain that their Security Operations Centers (SOCs) have visibility into SAP security events – demonstrating the disconnect between SAP security and the wider IT security environment.
- 51 percent say their SAP systems are always up-to-date and updated with the latest patches, but 36.7 percent report this is not the case and 12.3 percent aren’t sure.
- Nearly a third (30.6 percent) feel their user’s maturity and capability to manage cyberrisk to the SAP landscape leaves room for improvement, with the same number believing it was only average.