How Much Could SAP Cybersecurity Breaches Cost Your Company?

Nov 13, '17 by Joerg Schneider-Simon

We’ve all encountered instances of a malware attack on a friend’s or relative’s home computer — or even on our own. Personal cybersecurity breaches can be inconvenient and distressing, especially if they result in frustrating identity theft or ransomware.

But when the target is a company, things are different. Very different. A successful cyberattack on a company can have enormous costs, putting the very future of the organization at risk.

How much risk? More than you might think. The total cost of cybercrime per year is estimated to be about $6 trillion. It’s an enormous figure to envision, raising the question: “What would a successful cybersecurity breach cost our business?”

Costs Are Increasing – Rapidly

Accenture Security and the Ponenon Institute recently released a study exploring the costs related to cybercrime. When defining the costs of cybercrime, they included costs to detect, recover, investigate and manage the incident response. Also included were the subsequent costs of business disruption and loss of customers. Once these costs were added up, the results were enough to make any CIO’s heart race.

It’s no surprise that cybersecurity breaches are costly. What might be surprising is just how costly they have become — and how quickly those costs are rising:

  • In FY2016, the global average annual cost of cybercrime per organization was $9.5 million.
  • The FY2017 global average annual cost of cybercrime per organization is $11.7 million.
  • Over the last five years, the cost has risen by 62 percent.
  • Costs in the United States are the highest: The average cost has risen from $17.36 million in 2016 to over $21 million in 2017.
  • The sharpest increase in the cost of cybercrime was in Germany, where costs have increased by 42.4 percent from 2016 to 2017.
  • The industry with the highest average costs related to cybercrime is financial services ($18.28 million/organization), followed by utilities and energy ($17.2 million/organization) and aerospace and defense ($14.46 million/organization).

It’s also worth noting that these costs do not include fines, penalties, and litigation for a business that suffers a cybersecurity breach. Those costs can easily add millions of dollars to the overall price tag, such as when Target paid out an $18.7 million settlement over a 2013 data breach. In the EU, the new General Data Protection Regulation promises fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, for companies that fail to keep personal data secure.

Why SAP Is a Prime Target

As mentioned, any successful cybersecurity breach results in a range of costs for the company. The Accenture/Ponemon study compiled these into four primary categories:

  • Business disruptions
  • Loss of information
  • Loss of revenue
  • Damage to equipment

It turns out that information loss is far and away the most expensive consequence of a cybersecurity breach, making up 43% of the total cost. This is not surprising, given the robust underground market for proprietary data.

And because data is so valuable, SAP is the Holy Grail for many cybercriminals. For most companies, SAP is interlinked with the overwhelming majority of their business functions: finance, HR, procurement, production, and everything in between. It serves as the nerve center for many businesses, containing a breathtaking amount of proprietary, sensitive data. This makes it an increasingly popular target among cybercriminals looking to steal information.

And sometimes these cybercriminals succeed.

This was starkly illustrated by the unfortunate fate of USIS, a major U.S. contractor that conducted background checks for the United States Office of Personnel Management (OPM). It was an enormous contract, one that kept 3,000 people handling about 21,000 background investigations every month.

Then, cyberattackers successfully breached their SAP system, putting the sensitive personnel files of over 27,000 people at risk.

OPM dropped USIS as soon as the contract expired. The contract had brought in $320M in USIS’s last fiscal year. This enormous loss of revenue was insurmountable, resulting in USIS filing for bankruptcy.


Protecting Your Company from Cybersecurity Breaches

In light of the astronomical (and steeply rising) costs associated with a cybersecurity breach, companies need to prioritize security technologies that will reduce the costs associated with detecting, recovering, investigating, and managing any incidents.

In addition to a robust security solution for a company’s operating system and disk volumes, separate protection is required to fully protect an SAP system and its applications. Only by managing both OS-level cybersecurity and SAP cybersecurity can companies stay safe from cybersecurity breaches and the colossal expenses that accompany them. 

Learn more about how a large federal agency relies on bowbridge to protect its procurement system from costly SAP cybersecurity threats.

Download the case study