The C-Suite: SAP Cybersecurity’s Big Barrier?
Feb 27, '18 by Joerg Schneider-Simon
The prevalence of cybersecurity breaches in the news has attracted a lot of notice, even from people who aren’t normally tasked with keeping their finger on the pulse of the cybersecurity world. Indeed, high-profile and costly cyberattacks have caused ripples leading all the way up the chain to the c-suite.
When it comes to SAP cybersecurity, however, are executives still asleep at the wheel?
Last year, Ponemon Institute released the results of the industry’s first survey covering SAP cybersecurity. The study highlighted some alarming gaps, which could leave companies vulnerable to the devastating consequences of a cyberattack.
So, what are these gaps?
The Perception Gap
The employees who work most closely with SAP have been raising the alarm for a long time now. In the study, 56 percent of respondents say it’s likely that their company will have a data breach due to insecure SAP applications. These same respondents indicate that their company’s SAP platform has already been breached — an average of two times in the past 24 months.
And yet, it looks like the c-suite isn’t all that worried. A shocking 63 percent of respondents said that C-level executives “tend to underestimate” the risks associated with insecure SAP applications.
There could be multiple reasons for this perception gap. If the people who work with SAP don’t have the resources to clearly explain and respond to threats, or if the executives don’t have the background and expertise to fully comprehend them, the result is the same: a dangerous situation where time and resources are not being devoted to keeping SAP systems safe, putting the entire organization at risk.
The Responsibility Gap
In many companies, there are people who are responsible for handling SAP. There are also people who are responsible for handling information security. But SAP cybersecurity is the bridge between the two worlds, and in many companies, executives have been derelict at assigning responsibility, meaning that nobody is in charge of making sure that bridge doesn’t collapse.
This is borne out by the numbers: 25 percent of security respondents say that no one function is most accountable for SAP security in their organizations. The remainder say it’s the job of IT infrastructure (21 percent), SAP security team (19 percent) and information security (18 percent).
As it turns out, part of the reason why companies aren’t establishing a clear sense of responsibility for SAP cybersecurity is because they feel it’s not their company’s job at all: Over half (54 percent) believe that it’s the responsibility of SAP to ensure the security of its applications and platforms. This is reasonable in theory, but there’s a major flaw in this thinking. SAP monitors and addresses security threats and vulnerabilities on its out-of-the-box product, sending out security notes and patches accordingly. However, in the vast majority of cases, companies aren’t using the out-of-the-box version of SAP. Instead, they are modifying and customizing it based on their needs, which can open up an entirely new range of vulnerabilities that SAP hasn’t accounted for.
The Skills Gap
Skilled cybersecurity professionals are in short supply and high demand. And cybersecurity professionals who are also adept at SAP? They’re the rare and desirable unicorns of the IT world, and are being snapped up quickly by those companies who take SAP cybersecurity seriously.
When companies don’t prioritize SAP cybersecurity, they don’t take the time and effort to recruit more talent in this field. The result? The people who work in SAP cybersecurity are short-handed and ill-equipped to deal with emerging threats. In fact, nearly 100 percent of survey participants believed they would not be able to immediately detect an SAP breach. And if that breach was a year old? It would still likely go unnoticed by 78 percent of respondents.
With the increased pace and volume of cyberthreats and the continued dearth of SAP cybersecurity professionals in the field, a breaking point is rapidly approaching.
Bridging the Gaps
As these dangerous gaps continue to leave mission-critical SAP systems vulnerable, companies whose executives downplay the threats are risking everything: their data, millions of dollars, their reputation, and even the company itself.
“Any vulnerabilities in the supply chain now have a wildfire effect that results in millions of dollars being lost and trust being destroyed on impact,” says Justin Somaini, global CSO, SAP. “It used to take a while to exploit these weaknesses. Nowadays, it’s very fast and the damage is immediate.”
Those companies that are recognizing the need for robust SAP cybersecurity are beginning to look outside their own walls, increasingly turning to third-party options like bowbridge for expert SAP cybersecurity solutions that bridge the gap and reduce the risk of cyberattack.
As C-level executives steer companies around the twists and turns of today’s business landscape, they must prioritize the safety of their mission-critical SAP applications. Otherwise, they risk driving straight towards the gap, not realizing that their bridge is out — until it’s much too late.
Want to know more about the increased threat to SAP applications and how your company can protect itself? Watch our webinar, “Protecting Your SAP Applications From Content-Based Cyberthreats”.