bowbridge’s 9 SAP Cybersecurity Trends for 2019
Jan 17, '19 by Joerg Schneider-Simon
During this time of year, it’s natural to look to the year ahead and predict what it will bring. Cybersecurity experts have been doing this for decades, analyzing trends and developments to estimate a forthcoming landscape and alerting organizations of what cybersecurity trouble may come knocking.
However, most of these trends lists focus solely on overarching cybersecurity.
What about cybersecurity for SAP?
As we know, SAP cybersecurity does not neatly overlap with general cybersecurity matters. This is because of SAP’s unique structure: Not only is SAP excluded from on-access and scheduled virus scanning, but SAP’s virus scan interface doesn’t even connect with standard anti-virus programs in the first place.
So, if SAP cybersecurity is different, where does it fit into the overarching trends for 2019? Read on for our list of trends for 2019, and where SAP fits into the picture:
1. An Uptick in ERP Attacks
In July of 2018, Onapsis and Digital Shadows released a report illustrating how ERP systems, including SAP, are an increasingly popular target for cyberattack – and that the sophistication of these attacks is increasing. Juan Pablo Perez-Etchegoyen of Onapsis claims that cyberattackers are shifting their focus from traditional platforms to “business critical applications [that] are extremely high-risk applications.” This trend shows no signs of slowing down, and we predict that attacks directed toward ERP systems will only increase in scope and sophistication in 2019.
2. More Nation-State Cyberattacks
Overall, government officials have continually failed to take cybersecurity as seriously as physical security, with a collective international shrug being the response to state-sponsored data theft and cyberattack. Seeing how effective and repercussion-free such attacks have been, expect nation-states to ramp up this type of attack in the coming year. Considering that many government agencies worldwide use SAP applications, cyberattacks on these applications will likely intensify.
3. An Increase in Form-Field Application Attacks
Paper forms are becoming a rarity, as an increasing number of information requests are performed online. On the consumer side, eCommerce sites are finding themselves under siege by cyberattackers who are embedding malicious scripts into form fields, allowing them to steal credit card and other sensitive data. Organizations using SAP will also find themselves under increased attack, as cyberattackers will target NetWeaver-based applications that have public-facing forms.
4. Cybersecurity Reaches the Boardroom Table
The recent spate of high-profile data breaches has struck fear into many organizations. A double-punch of negative media coverage and angry consumers has resulted in CEOs (like Equifax’s Richard Smith) stepping down in shame, making other companies’ executives wonder if they could be next. CEOs and board directors who previously left cybersecurity matters solely within the purview of the CIO will take a much greater interest in discussing how to improve their cybersecurity and avoid the financial and reputational devastation that a data breach can bring. As ERP systems are such a rich trove of data, these executives will find themselves needing a crash course on how SAP works and how to best protect it.
5. A Rise in Cyber Hygiene Awareness
During these aforementioned boardroom discussions, many companies are starting to realize that their cybersecurity has a weak link: their staff. Often targeted for cyberattacks delivered via phishing, individual employees may not have been adequately trained to protect their passwords (or choose strong ones), be suspicious of attachments, or keep devices and laptops secure at all times. This is of particular interest to organizations that use SAP Fiori, allowing staff to access SAP applications remotely. We predict that companies will become more aware of the need to regularly and thoroughly train staff on cybersecurity awareness.
6. An Increase in Cybersecurity Spending
According to Gartner, worldwide cybersecurity spending will increase by 9 percent this year, topping $124 billion. However, in light of the widely publicized cybersecurity skills shortage (and the even larger SAP cybersecurity skills shortage), companies will have to get creative when it comes to bolstering their cybersecurity. We anticipate organizations turning to specialized software and external teams of experts to make up for the staffing shortfall as they combat malware and data breach attempts.
7. But… The Status Quo on Passwords
While companies may grow more aware of cyber hygiene, things won’t improve overnight. One gap that will remain will be with passwords and authentication. Hacking passwords is virtually child’s play for even novice cybercriminals and is made easier by people who write passwords down, never change their password, or use the same password for everything, including mission-critical systems like SAP. This risk is increased for homogeneous systems, where one password gives access to a multitude of related functions and applications. Unless organizations make a concerted effort to implement multi-factor authentication and drive home the need for stringent password security, password-based cybersecurity breaches will continue to rise.
8. More Laws Protecting Devices and Data
As our lives are increasingly linked to networks, the risk surface grows exponentially. Everything from online home assistants to Bluetooth-connected door locks to SAP ERP-connected industrial equipment and vehicles have the potential to fall prey to cyberattack. Even more alarming is the fact that many of these devices have no inherent cybersecurity features, explaining why successful cyberattacks on them are increasing. We anticipate that more governments will follow California’s lead in requiring manufacturers to implement security features in IoT devices. We also expect that laws like GDPR, protecting data privacy, were just the beginning of a consumer-led tidal wave of backlash against data collection and use; expect similar laws in other regions to crop up.
9. Compliance Is King
The 2018 advent of GDPR and its stringent compliance requirements may have been many companies’ first brush with regulatory compliance rules and how difficult they can be to meet. Larger companies, however, have increasingly turned to governance, risk, and compliance (GRC) software and services to help them navigate their risk management. We expect that the world of risk management and cybersecurity will overlap more and more as companies become aware of how their cybersecurity can affect their regulatory compliance and vice versa. This will lead these companies to cast a critical eye on mission-critical systems like SAP and what demonstrable, documented steps can be taken to mitigate risk and adhere to regulations.
As 2019 begins, the world of cybersecurity stands at a crossroads. While sticking with the status quo may seem easier, pitfalls and dangers lie in wait. Organizations will need to muster their courage and their resources and traverse a new path, facing the year’s upcoming challenges head-on, if they hope to emerge at the other end unscathed.