CISOs and SAP Cybersecurity: Is Your Anti-Virus Enough?

Sep 24, '19 by Joerg Schneider-Simon

Cybersecurity talent shortages. Employees and vendors who think security policies are just a suggestion. A rapidly growing, AI-driven tsunami of threats.

The role of a Chief Information Security Officer is not exactly what we’d call relaxing.

To succeed as a CISO, you have to be intimately familiar with your organization’s risk surfaces and vulnerabilities, so you can mitigate any weak spots. There’s one risk surface, however, that may not be on your radar: SAP

One of the most powerful tools in any CISO’s arsenal is a robust anti-virus program, helping you identify and remove (or quarantine) malware before it has the opportunity to wreak havoc in your system.

With SAP, however, things are different. And unfortunately, SAP’s unique cybersecurity needs have a bad habit of slipping under the radar of even the most diligent CISO. Why? First of all, there is not a widespread understanding about why it is different. Second, in many organizations there tends to be a responsibility gap when it comes to keeping SAP safe from cyberattack.

Let’s dive into each of those areas.

Why SAP Cybersecurity Is Different

Using standard tactics to protect SAP would be akin to putting a barrel lock on a sliding door: What works for the usual setup just isn’t effective when you’re dealing with a different configuration.

Why is SAP so different (and such a challenge to protect?)

First of all, file uploads to SAP are a common occurrence, as it allows suppliers, customers, job applicants and other external players to upload file attachments into the system. Under normal circumstances, that would be fine: Your anti-virus program would simply perform an on-access scan to ensure the file isn’t carrying any malware. With SAP, however, the files are uploaded via an encrypted connection, preventing network-level anti-virus programs from being able to perform these on-access scans.

Second, the file storage is different. Scheduled scans are par for the course for anti-virus programs, sweeping through every disk volume on the server to identify and remove (or quarantine) malware. However, SAP file storage is outside of these disk volumes; it’s located in the SAP database, Document Management System or other repository, where it can’t be reached. And even if the anti-virus program could sweep through the SAP database, it may be for naught: Unexecuted files are stored until opened. So, malware could lay in wait, undetected up to the time it’s unwittingly opened by an employee.

Who Should Be Responsible for SAP Cybersecurity?

Typically, the people in any organization who understand SAP best are those who are responsible for things like governance, controls, segregation of duties and permissions, and troubleshooting. These folks are excellent at making sure that nobody internally is able to do anything with SAP other than what they’re precisely allowed to do, which provides security against internal theft, sabotage, and espionage

Do they understand cybersecurity, however? Do they know why SAP’s web forms make it more vulnerable to persistent cross-site scripting attacks?

Probably not.

So, on one hand you have your IS team, which knows cybersecurity inside and out but may be unfamiliar with SAP. On the other hand, you have the SAP team, which knows SAP like the back of their hands but has no training or knowledge when it comes to cybersecurity.

What we wind up with is each team thinking the other one has it handled, with important jobs like SAP security updates falling through the cracks.

How CISOs Can Keep SAP Systems Safe

Fortunately, these two problems have relatively straightforward solutions; they simply require time and organizational will.

An excellent first step is to sit down with your organization’s SAP team and have a frank discussion about SAP cybersecurity. Talk about your division of duties, how often certain tasks need to be done, and what training might be required for your team or theirs to make sure these tasks are done adequately.

The second step? Familiarize with SAP’s unique cybersecurity needs. SAP does have a virus scan interface, but even advanced anti-virus software is not compatible with it, requiring specialized solutions.

CISOs are the unsung heroes of every organization, with their hard work and expertise often taken for granted. By devoting the time and resources to keeping your SAP system safe from cyberattack, you can continue to be your organization’s hero in today’s challenging cybersecurity environment.

Can SAP E-Recruiting Expose Your Company to Risk?