Five Lessons from the 2019 Onapsis/IDC Survey

Dec 9, '19 by Joerg Schneider-Simon

More than two-thirds of ERP systems were breached in the last 24 months according to a 2019 survey conducted by IDC for Onapsis.

ERP Security: The Reality of Business Application Protection, the IDC survey of 430 IT decision makers, reveals that 64% of organizations have experienced a breach in their SAP or Oracle E-Business Suite systems in the past 24 months.

What else can we learn from this survey? Here are our top five takeaways.

Lesson 1: Hackers Don’t Discriminate

The cyber criminals, hackers, disgruntled employees and other malicious actors who are breaching ERP systems don’t discriminate. They have an appetite for all types of data.

Among the companies whose ERP systems were breached within the last 24 months, the types of data compromised represented a wide spectrum of the information assets held by today’s enterprises. The compromised data included:

  • sales data (50%)
  • HR data (45%)
  • customer personally identifiable information (41%)
  • engineering information (38%)
  • intellectual property (36%)
  • financial data (34%)

Respondents ranked financial and sales data as the two most critical types of compromised data.

Lesson 2: Hackers Might Be on Your Payroll

“The information compromised most often, according to this research, is the highest regulated in today’s business ecosystem,” says Larry Harrington, former Chairman of the Global Board of the Institute of Internal Auditors. “Most concerning is the popularity of sales, financial data and personally identifiable information, all of which should raise flags about the possibility of insider trading, collusion and fraud.”

Lesson 3: Your Board Should Know That Audits Aren’t Working

The high volume of breaches (64% of organizations reported a breach in the last 24 months) is alarming given that 78% of respondents say they have their ERP apps audited by a third-party firm every 90 days or more. These findings should raise serious concerns among the C suite and at the board level about the quality of these audits.

Lesson 4: The Attack Surface Is Increasing

According to survey respondents, around 74% of their ERP applications are accessible via the internet. With ERP applications exposed to the internet, the attack surface of interconnected applications increases, allowing for pivots that compromise entire systems. No wonder more than half of executives who have larger ERP implementations report being "Concerned" or "Very Concerned" about moving to the cloud.

Lesson 5: Pain from a Breach Eclipses the Cost of Prevention

The survey reports that the cost of a mere three hours of downtime easily eclipses the annual spend on ERP security for organizations. Seventy percent of organizations report spending $100,000 or more annually on ERP security each year. Yet nearly two-thirds of these same organizations believe ERP application downtime would cost their organization more than $50,000 per hour.

This survey confirms what the cybersecurity industry has known for some time: ERP systems are a prized target for cyberattacks. Organizations of all sizes need to make sure their cybersecurity and SAP security teams are integrated and working together, devoting the time, effort, and resources needed to protect their data, their system, and their company.

New call-to-action