SAP and Data Breaches: What to Know, What to Do

Mar 26, '19 by Joerg Schneider-Simon

Information security professionals and CIOs are feeling the squeeze. Not only is the number of data breaches increasing all the time, but the number of available cybersecurity professionals is decreasing.

As a result, IS teams face a constant onslaught of attacks that make the Battle of Helm’s Deep in Lord of the Rings look like a friendly gathering for tea.

In today’s environment, the question isn’t if your company will face an attempted data breach on your SAP system, but when, how often, and how bad will it be? To prepare yourself, we have the facts and figures on data breaches – and we’ll show you what’s at stake, what to do if you fall victim, and how you can improve the chances of withstanding the next wave of attacks.

A Shifting Target

You’re not imagining it: Data breaches are increasing in number. In 2018, there were 12,449 data breaches, a 424% increase over the previous year.

However, an interesting trend revealed itself: The average breach in 2018 was 4.7 times smaller than in 2017.

What does this mean? While massive corporations will always be tempting targets, cyberattackers are starting to go for lower-hanging fruit. Mid-sized companies, with fewer cybersecurity resources, are simply easier to infiltrate. This is doubly true when it comes to SAP, as it is a rare mid-to-small business that has dedicated SAP cybersecurity professionals on staff. Plus, SAP is a rich repository of data — a treasure trove for cybercriminals, so the payoff on a successful breach is huge.

This is terrible news for smaller players who use SAP, especially those who store a lot of personal data in their SAP system, like regional government agencies, hospitals, or mid-sized manufacturers.

The Cost of SAP Data Breaches

To recap from one of our earlier posts about the cost of breaches, the global annual cost of cybercrime in 2017 was $11.7 million per organization, according to a study by Accenture Security and the Ponemon Institute. Information loss made up 43% of that cost, on average.

To add to this, lawsuits and regulatory fines have made the consequences of a data breach higher than ever before. For example, any company found out of compliance with General Data Protection Regulation (GDPR) requirements on maintaining the security of personal data can face eyewatering fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater.  And it goes without saying that a data breach will turn all regulatory eyes toward a company’s compliance efforts … or lack thereof.

What If a Breach Happens?

Discovering that your SAP data has been breached is a stomach-churning sensation. However, there are ways to handle it that can help your company come through the other side intact:

Be Upfront

Any seasoned crisis communications professional could tell you about the 1982 Tylenol recall crisis. When it was discovered that someone in the Chicago area had tampered with Tylenol capsules and inserted cyanide-laced capsules into bottles waiting to be sold, Tylenol manufacturer Johnson & Johnson sprang into action. They immediately disclosed what had happened, issued a national recall, and communicated clearly and frequently with the public about what was going on and the steps they were taking. As a result, Johnson & Johnson held onto consumer trust and the incident became a case study in how to handle a crisis.

As a general rule, this approach is a wise one for any companies facing a data breach. Being honest and upfront is infinitely better than trying to downplay or hide what happened. For example, when Target experienced its massive data breach in 2013, the retailer was widely criticized for only alerting customers several days after they noticed the breach, and for an inadequate customer support system that left consumers even more frustrated. 

If your data is breached, let your customers know right away. (Creating a cybersecurity crisis communications plan ahead of time and reviewing it often will allow your company to quickly spring into action should a breach take place.) Advise them on what they can do to protect themselves and keep them posted on what your company is doing differently to avoid this happening again.

Review Your Security

Customers may forgive one data breach. They won’t forgive a second one. At this point, the survival of your company may depend on ensuring another data breach won’t happen. To do this, look at data security from all angles. Review permissions and security protocols to limit who has access to sensitive data. Not only does this protect against insider data theft, but it reduces the number of employees who, if hacked, could unwittingly grant access to this data to a cyberattacker.

In addition, carefully review your cybersecurity and in particular, your SAP cybersecurity. Because so much sensitive data is held within SAP, and because it can often be accessed by external parties like suppliers or job applicants, it is crucial to protect both its data and its applications. In this threat environment, leadership that ignores the cybersecurity risk to SAP is leadership that is negligent.

Educate Staff

Cybersecurity policies are only as good as people’s commitment to adherence. That’s why it’s so important to educate staff, contractors, suppliers, and anybody else who can access your SAP system about the importance of protecting data. Workshops on how to recognize and prevent phishing, guidelines on smart password selection, and a company-wide commitment to immediately notify IS of any unusual activity will go a long way toward preventing data theft. Be sure to provide extra training to any employees who use SAP FIORI, as its ability to be accessed from anywhere makes it particularly susceptible to cyberattack.

Attempted data breaches may be inevitable. Successful data breaches, on the other hand, don’t have to be. By giving this threat the proper amount of attention and resources, companies can stave off data breaches and keep their customers’ hard-won trust.

 Can SAP E-Recruiting Expose Your Company to Risk?