Supply Chain Cybersecurity and SAP

Jul 10, '18 by Joerg Schneider-Simon

Supply chains keep an organization operating at full pace … or they can stop a company in its tracks. Without a well-run supply chain, a company can’t produce their product, maintain their equipment, or even manage day-to-day operations.

Today’s technology makes supply chain management more effective and efficient, integrating vendors more closely and accelerating communication. One such technology used by major companies worldwide is SAP ERP.

However, while technology solutions like SAP have made supply chains move faster and more smoothly, they’ve also opened companies up to an increased level of cybersecurity risk.

What are these risks? And what can companies do to prevent them?

How Supply Chain Technology Works

As mentioned, technology has made supply chains more efficient by integrating vendors more closely with companies. To do so, technologies like SAP ERP often give trusted suppliers access to the enterprise environment.

Here is an example: A furniture manufacturer, XYZ Company, requires raw supplies, production equipment, replacement parts, and maintenance supplies. To operate, XYZ relies on dozens of vendors to supply those goods accurately and in a timely fashion.

To make the supply chain more efficient, vendors can log in to XYZ’s portal with a username and password to upload and send invoices, quotes, estimates, copies of bills of lading, product images, or other necessary files.

That way, XYZ has all the documentation it needs, all automatically linked to the purchase order.

Sounds great, doesn’t it? And it is great … except when it’s not.

Cybersecurity Risks and the Supply Chain

Unfortunately, opening up a supply chain management system to external parties brings with it the possibility of cybersecurity breaches, often with disastrous results.

In 2013, Target was the victim of a massive data breach, with over 110 million customers’ data being compromised. It was later discovered that the initial intrusion took place when network credentials were stolen from one of their vendors, an HVAC subcontractor. A similar attack in 2014 resulted in the theft of payment data from more than 56 million Home Depot customers, including 53 million email addresses stolen.

How did this happen?

As it turns out, the size of the company has a lot to do with it.

Many cybercriminals understand that big companies like Target and Home Depot have the resources to develop strong IT systems and robust cybersecurity practices – making them very tough targets to crack.

However, smaller to medium-sized enterprises (SMEs) – the ones that often comprise the bulk of any company’s supply chain – tend to not have the resources to implement iron-clad cybersecurity. Nor do they usually have the same stringent policies about access control, patch management, or secure configuration as the bigger players do.

So, instead of trying to break the big company’s unpickable lock, cybercriminals simply focus on stealing a perfectly functional key – i.e. credentials – from smaller vendors that serve the bigger companies. And this type of attack is on the rise: According to the Ponemon Institute’s Third Party Data Risk Study, at least 56% of survey respondents experienced a third-party data breach — a 7% increase over last year. Even worse, 57% of respondents don’t have an inventory of all third parties with whom they share sensitive information.

Cybersecurity Risks, The Supply Chain, and SAP

With SAP, collaboration between vendors and customers is easy and seamless. However, SAP’s environment makes it difficult to keep this supply chain secure.

Let’s look at our furniture manufacturer, XYZ Company, again. Unbeknownst to them, their fabric wholesaler’s order system has been hacked, and cybercriminals have stolen the vendor’s login credentials to the furniture manufacturer’s SAP system.

Armed with this information, a cybercriminal could very easily upload a file, like a document, spreadsheet, or PDF, that looks like a legitimate invoice or quote but that actually contains malicious active content. Or, the cybercriminal could insert malicious code into form fields and launch a man-in-the-middle attack.

There are many reasons why SAP is vulnerable:

  • Standard anti-virus programs simply do not have access to data or content that is input into or stored in SAP.
  • There is a significant shortage of SAP cybersecurity specialists in today’s workforce, resulting in significant skills gaps for many companies.
  • Suppliers often have access to supply chain functions via SAP FIORI, which they often use in unsecured environments.

Find out more about SAP FIORI’s risks with our Guide to SAP FIORI Cybersecurity


How to Protect Your Supply Chain

The last thing any company wants is a cybersecurity breach. Fortunately, you can take steps to shrink your risk of a third-party breach. For instance, the SANS Institute, a cooperative research and education organization for security professionals, has created a solid roadmap to a secure supply chain, which helps identify and mitigate the human factors of cybersecurity risk. In general, SANS recommends focusing on three factors:

  1. People
  2. Process
  3. Technology

Ensuring that your suppliers take due diligence, security controls, and compliance seriously is massively important. So is establishing processes along the supply chain to minimize the chances of a breach and to quickly identify and mitigate one if it does occur.

The technology? That’s where we come in. bowbridge Anti-Virus for SAP Solutions is built specifically for SAP, helping to guard your mission-critical systems and data from cyberattack and breaches. 

Want to know more? Try it out for yourself to see how bowbridge can put your supply chain cybersecurity worries to rest.


Electrical connection technology manufacturer relies on bowbridge for virus-free document exchange. Read the case study.