Your SAP System Has Been Hacked. Now What?

Nov 7, '19 by Joerg Schneider-Simon

One day back in 2013, a group of hackers—likely backed by China—booted up their computers and began breaking into USIS, a US federal contractor that conducted background checks for the US Department of Homeland Security. The hackers gained access by exploiting a vulnerability in an SAP system managed by a third-party firm.

News of the attack was published by the security media … in 2015. Almost two years after the attack, security professionals and the public at large learned that the hackers had stolen sensitive, confidential data on more than 27,000 personnel.

The fallout from the attack was ugly.

USIS lost their contract with the U.S. Office of Personnel Management. The company lost so many other contracts and potential contracts that they were forced to fire 2,500 of their staff. Finally, the owner of USIS filed for bankruptcy.

The consequences of an SAP systems hack are severe, and include financial, operational, legal, and reputational repercussions. Ideally, the strength of your SAP cybersecurity is such that it will prevent a hack from ever taking place. If it DOES happen, however, there are ways to help mitigate the damage. Here are eight steps to take after your SAP system has been hacked.

1. Take immediate steps to contain the intrusion

Ideally, your firm has a cybersecurity response plan that describes the rules and procedures to follow in the event of an attack. Within minutes of discovering the attack, the employee who encounters the threat should alert your incident response team and start implementing the first steps outlined in the plan.

If you do not have a cybersecurity response plan, the staffer who discovers the intrusion must alert your IT and management teams immediately. Your IT staff must then disconnect the affected computer, server or other device from your network. Next, review your on-premise backups and backups in the cloud to make sure they are not compromised.

2. Gather your incident response team

Your firm should have an incident response team that investigates the attack, coordinates the response, and manages communications between your firm and your stakeholders, both internal (users, staff) and external (partners, suppliers, clients).

This team should be comprised of the following people:

  • Incident response manager (often the CISO)
  • Cybersecurity analysts
  • Threat researchers
  • IT staff
  • Management
  • Human resources
  • Legal
  • Public relations

3. Root out the cause of the attack

After removing all infected devices from the network, ensure that the cause of the breach is not still present in your SAP system. This involves searching for all known SAP vulnerabilities, including missing authorizations, missing security notes/patches, cross-site scripting, directory traversal, configuration issues, and SQL injection.

4. Check for damage

After you are persuaded that your network and SAP systems are secure, start looking throughout your company—particularly in files and database tables you know contain sensitive data—for damage or missing information. This includes compromised passwords and other credentials, missing data, breached credit card information, user accounts compromised, and stolen client data.

5. Restore your SAP systems

Once you are confident that your network and SAP systems are secure and that the threat has been eliminated, restore all systems that are critical to your business. This is vital, since one of the major fallouts of a cybersecurity breach is lost productivity and lost revenue.

6. Document and investigate

Next, you need to establish the facts, having your investigative team examine the breach to discover how the attack started and how it unfolded. This involves discovering and documenting the kind of attack that was made and the root cause of the vulnerability. Documenting your response to the attack is crucial, particularly if you are eventually investigated by the government because of the breach. Government auditors and investigators will examine the steps you’ve taken to investigate and fix the intrusion.

7. Inform your customers

What’s worse than telling your customers you’ve been hacked? Not telling them. Just ask FACEBOOK and Yahoo. When these internet giants were hacked, they kept the intrusions private and didn’t alert their customers. The result? Both companies faced multi-million-dollar class-action lawsuits from their customers.

Cybersecurity breaches aren’t just an IT issue—they’re a public relations issue. And in most jurisdictions these days, they’re also a legal issue. In the United States, for example, businesses must inform customers whose data has been compromised—and not two years after the fact. Immediately. In addition, GDPR may come into play, violations of which can result in massive fines.

8. Prepare for the next attack

If hackers succeed once, they aim to succeed again. This means that following a hack of your network and SAP systems, you must prepare for the next attack. Take the following steps:

  • Hire an outside firm—one experienced with SAP—to conduct penetration testing against your network
  • Patch and update your SAP systems
  • Schedule regular audits of SAP’s underlying ABAP code
  • Bring your staff’s security skills up to date
  • Install third-party software that protects you against viruses, content-based attacks, and other vulnerabilities

Analysts say the average cost of an SAP security breach is $5 million per attack. And according to a report in Computer Weekly, there was a 100% increase in publicly known SAP exploits between 2017 and 2018. This means your firm should be making plans for when (not if) your SAP system gets hacked. That starts with building your cybersecurity defenses now and creating a cybersecurity response plan for the inevitable.

Download our Solution Brief: Protecting SAP E-Recruiting from Hackers and Malware Uploads