Even SAP responded in its own way. Then SAP executive board member Gerd Oswald talked about the danger of viruses during Sapphire Europe (anyone still remember that?) in Nice, France. However, according to Oswald, there was little to talk about when it came to SAP and security.
The R/3 system relies on Abap tables, and viruses supposedly didn’t stand a chance against those. And true enough, the “I love you” virus wasn’t able to penetrate SAP’s system.
Some time ago, I attended a NTT Security conference in Germany. I got there with a strong opinion in mind. I thought that cybercriminals attempting to steal data and files or corrupt them with viruses and trojans won’t have any luck with SAP systems. ERP systems are just too complex; the invaluable data stored within them will never be an open book to someone without the right access codes.
I was fairly confident about that – my own experience with our own SAP Business One system was enough to make that judgement, I thought.
Security is important for SAP as well
However, hackers don’t have to steal the data – encrypting it and then demanding ransom money would suffice. Furthermore, if a cybercriminal succeeds to tap into the connection between server and client, they can easily understand what’s happening – without ever touching a single Abap file.
NTT Security very impressively demonstrated what cybercrime can mean today. Unfortunately, they were no talks or demonstrations focused solely on SAP – which isn’t NTT Security’s fault. There is still a prevailing lack of interest in security in the SAP community.
At Sapphire 2019, Hasso Plattner himself mentioned a small security scandal. Customers had trouble dealing with a data breach. However, this security issue was mostly caused by customers not implementing security patches from over ten years ago. So, Hasso Plattner was right in saying that SAP customers should be more careful themselves.
NTT Security also backed this position up: if customers keep their systems up to date with the most recent patches and updates, they are already halfway to a sustainable security strategy.