3 Signs You Are Vulnerable to an SAP Cyberattack (and How to Respond)

Dec 10, '20 by Joerg Schneider-Simon

Is your organization like the staggering 66% of organizations that are vulnerable to cyberattacks on their SAP applications?

According to a recent Ponemon Institute study, “Only 34% of respondents say they have full visibility into the security of SAP applications and many companies do not have the required expertise to prevent, detect and respond to cyberattacks on their SAP applications.”

Here are the three ways in which most companies fall short when it comes to their SAP cybersecurity. If any (or all) of these signs ring true for your organization, you may be a sitting target.

3 Signs You’re Unprepared for an SAP Cyberattack

Sign 1: Lack of prevention and detection

Your organization has few if any third-party software applications that are designed to prevent attacks against SAP applications. You may have robust cybersecurity in general, but if you haven’t set up security measures specifically for SAP, you’re leaving a significant gap in your defenses.

Common SAP attack vectors include:

  • Exploiting missing authorization checks
  • Cross-site scripting
  • Leveraging unsecured RFC gateways and message servers
  • Unproperly secured SAP Routers
  • Directory traversal vulnerabilities in applications and file handling
  • Remote code execution attacks
  • and of course, standard users who are still using default passwords

In addition to preventing an SAP cyberattack, many companies have no way of quickly detecting if one has taken place – giving cyberattackers a much larger window of opportunity with which to wreak havoc.

Sign 2: Poor SAP maintenance

Many organizations do not keep their SAP applications up to date, or they fail to install the latest SAP Security Notes, or both.

As a result, they’re at risk from old and current threats. Keeping your SAP applications current and applying security patches as soon as they are published are all part of a healthy preventative maintenance program. They are essential if you aim to keep your systems up-to-date, stable, and safe from viruses, trojans, ransomware and other threats.

Sign 3: No established response plan or team

Without responsibility, there is no response. And yet, countless organizations have failed to create an incident response team that investigates attacks, coordinates the response, and manages communications between the organization and its stakeholders.

Your team should consist of the following people:

  • Incident response manager (often the CISO)
  • Cybersecurity analysts
  • SAP Security analysts
  • Threat researchers
  • IT staff
  • Management
  • Human resources
  • Legal
  • Public relations

From there, your team should coordinate the creation of a cybersecurity response plan that spells out the policies and procedures to follow if you are attacked. Decide who will investigate the breach, who will coordinate your response, and who will manage crisis communications. Then draw up a simple plan that describes next action steps, assigns responsibilities, and gives deadlines and timeliness.

A documented cybersecurity response plan establishes (and importantly, lets you test) the measures you should take if you experience an attack.

How to Respond if Your SAP System is Attacked

If your organization can tick yes to one or more of the above signs, then you may be unprepared to deter, detect, and deal with an attack on your SAP systems – and it may only be a matter of time before a successful attack takes place.

If that happens, here are the steps you should take.

Step 1. Stop the attack and limit the damage

Your first step is to contain the intrusion. The moment the attack is discovered, your incident response team should spring into action and start implementing the first steps outlined in your cybersecurity response plan. (If you don’t have a cybersecurity response plan, the staffer who uncovers the attack must alert your IT and management teams as quickly as possible.)

From there, your IT staff must act immediately to disconnect and isolate the affected computer, server, or device from your network.

Next, you must review your on-premises backups and backups in the cloud to make sure they are not compromised.

After you have removed all infected or compromised devices from your network, double-check that your attackers aren’t still present or active in your SAP system.

Step 2. Look for damage—internal and external

After you’ve checked to see that your networks and SAP systems are secure, measure the extent of the damage caused by the attack.

Look for the kind of damage that is most likely to harm your operations, damage relationships with customers and suppliers, and tarnish your reputation in the marketplace.

Hunt for:

  • compromised passwords and login credentials
  • exposed PII or proprietary information
  • breached credit card information
  • stolen supplier data
  • compromised user accounts
  • stolen client data

Step 3. Restore your SAP systems & document the attack

Your enemy at this stage is lost productivity and lost revenue. So, after you’ve taken all necessary steps to secure your network and SAP systems, and after you are confident that you have eliminated the cyberthreat, restore all the systems that are critical to your organization.

One advantage of successfully detecting and responding to an SAP cyberattack is that you have a playbook to follow for the next attack. To make sure this playbook is helpful for the future, you must establish the facts surrounding the attack.

Give your investigative team the task of examining the attack to uncover where and how the breach started—and how it progressed. Discover and document the kind of attack you suffered. Then discover the root cause of the vulnerability.

Documenting your response to the attack is vital, especially if you operate in a highly regulated industry and anticipate that the government may investigate the cyberattack. Government auditors and investigators will examine the steps you’ve taken to investigate and fix the intrusion. Make sure you document what happened, what you did in response, and how you are now better prepared for the next cyberattack.

Meanwhile, other members of your incident response team should be crafting up clear and informative communications pieces to let your employees, stakeholders, and customers know precisely what has happened, what you’ve done about it, how it will affect them, and what they should do from there.

What now?

Analysts estimate that the average cost of an SAP security breach is $5 million. And according to a report published in September 2020 by the Center for Internet Security, vulnerabilities continue to be discovered in SAP products on a regular basis, the most severe of which could allow for arbitrary code execution, often resulting in a complete compromise of the affected system.

Translated, this means that your organization should be making plans for when (not if) your SAP systems get hacked.

Don’t be caught unprepared. By building your SAP cybersecurity defenses, teams, and responses now and testing them regularly, you’ll be able to handle any intrusions – successful or otherwise – quickly, professionally, thoroughly, and with minimal damage to your organization and its people.

To discover how prepared you are, take our SAP Cybersecurity Self-Assessment.

Take the SAP Security Self-Assessment