Cybersecurity for Today’s SAP

For years, when organizations thought about SAP security, that meant topics like access control, process control, user roles, profiles, and authorizations. While these topics remain important, they focus on the activities of users who already have access to SAP systems and managing the access they have to those systems. Today’s cybersecurity threats created a whole new set of challenges that are focused on protecting SAP systems from those that may not have a valid SAP login or whose actions may not be recorded in SAP audit logs.

The Current Threat Landscape

The biggest of the challenges organizations face in securing SAP systems from cybersecurity attacks is that the threat landscape continues to expand. Ransomware and malware attacks are increasing in frequency, even if these are not always directly impacting SAP systems. A more concerning issue is the increase in social engineering and credentials compromise attacks which can expose data within SAP systems. This makes addressing system vulnerabilities one of the most critical needs for SAPinsiders.

Another major challenge is keeping up with patches and updates. Failure to apply patches regularly exposes systems to vulnerabilities allows threat actors to exploit these vulnerabilities using code found online. This can involve data exfiltration, planting malicious code, or even directly accessing systems. Online forums sometimes host discussions on exploiting vulnerabilities within hours of SAP patches being released. This highlights the critical urgency of implementing patches. However, patching must be balanced with the need to minimize downtime and ensure that systems are accessible for business users.

Ransomware attacks, credentials compromise, and social engineering attacks are often interconnected and highlight the root cause of many cyberattacks. A credentials compromise is a method for threat actors to infiltrate systems and deploy ransomware or malware, while social engineering is used to expose credentials and manipulate employees into divulging usernames and passwords. SAPinsiders need to ensure that employees are regularly educated about potential threats as the sophistication of these attacks increases.

One obstacle that organizations may struggle to manage is the cybersecurity skills gap. Many organizations are experiencing a shortage of team members with the knowledge to effectively identify, prevent, and respond to cyber threats. The rapid evolution of cyber threats combined with the increasing complexity of IT environment and the growing demand for cybersecurity talent are the primary causes of this gap. Addressing the skills gap requires additional training, education, and workforce development, something that cannot be completed quickly. This leaves the door open for organizations that can offer services which can help organizations respond to and address newly recognized attacks.

Factors Driving Cybersecurity Strategy

The primary cybersecurity motivation for most SAPinsiders is protecting the sensitive and confidential data that is stored in SAP systems. The need to protect data connects to other cybersecurity topics including detecting and preventing intrusions, user access controls, data masking and encryption. It also covers areas like coding practices, disaster recovery, continuity planning, and even regional and industry-specific concerns. With SAP systems often being a consolidated source of financial and business data in the organization, it is easy to understand why protecting these systems is so important.

Beyond the need to protect the data in SAP systems is an ongoing pressure to keep systems secure from ransomware and malware attacks. This is a topic that can be especially complex for SAP systems since their security is not always managed by dedicated security teams, although this is changing. This is why it is vital SAPinsiders ensure collaboration across SAP, security, and IT teams as a lack of alignment can result in coverage gaps. The need for collaboration is particularly true for organizations moving to the cloud as cloud landscapes can introduce significant security complexity and data integration and connection points.

The last major factor behind cybersecurity strategy is that of keeping SAP systems online. The growing complexity of SAP landscapes, including the deployment and integration of cloud-based solutions, has made increased availability even more important. However, this has also made it difficult to perform urgent updates to address concerns such as ransomware, malware, security updates, zero-day or one-day vulnerabilities, or resolve data integrity issues.

Future Cybersecurity Challenges

Many organizations are looking at AI to help improve decision making, increase efficiency, enhance customer experience, reduce costs, and help drive innovation. SAP will eventually embed business AI in all their solutions, and it will only be a matter of time before their generative AI copilot Joule works with the most used features in every solution. However, AI is also playing a major role in the cybersecurity space both by security teams and by those looking to use AI to enhance or potentially provide code for their attacks.

While the biggest benefit of generative AI for threat actors is with enhancing social engineering attacks, because AI can improve both the language and realism of attacks, SAPinsiders are also concerned about threat vectors like business email compromise, ransomware distribution, malware evasion, data exfiltration, and fake news and information. All of these are threats that can be AI supplemented or generated and which SAPinsiders must prepare to defend against.

The concern these organizations have is that they are worried about the effectiveness of traditional cybersecurity methods when it comes to AI-generated threats. For example, only around a quarter (27%) of SAPinsiders believe that traditional cybersecurity methods were extremely or very effective against AI-generated threats. Nearly half (46%) felt that these measures were only moderately effective, suggesting considerable concern and a need for cybersecurity providers to seek new ways of defending against these threats.

To help protect against these threats, organizations are focusing in three main areas: continuous monitoring and logging, regularly implementing patches and updates, and training and education. Regularly patching and updating needs no explanation, but continuous monitoring and looking is being used with the hope that any unusual behavior will be logged and able to be detected either in security information and event management (SIEM) tools or through technologies like behavioral analytics. However, while continuous monitoring is important, attacks on SAP systems do not always register in regular log files. This makes it vital for organizations to train and educate teams so that they can be aware of changing attack vectors and able to react appropriately when a vulnerability or imminent threat is detected.

What this means for SAPinsiders

With today’s rapidly changing threat landscape, having the right cybersecurity plans in place is crucial. This makes it vital for SAPinsiders to ensure that they are prepared not only to meet better known cybersecurity challenges but also be ready for what may be coming in the future.

• Implement and use a patching strategy and conduct regular audits. System and security patching has historically taken a back seat to other development and operational requirements in SAP. There is often a lack of clarity about what patching entails from both an analyst and a system perspective. However, many resources are available that can assist in establishing a program for evaluating and implementing system and security patches. Prioritize setting up an SAP system and security patching policy and build a program to address these key vulnerabilities and managing risk.
• Assess current and emerging technologies to balance cybersecurity investments for current systems and those for use in the future. Perform an inventory of all technology currently being used to assess what functionalities are available, what is obsolete, or if a newer version has capabilities that are not included in any security plan. Set aside time for your SAP team to research and verify whether tools on hand could potentially be utilized to advance your cybersecurity objectives. Stay abreast of technologies in the market to solve current security issues and make security a budgetary priority before threat actors force that response.
• Prioritize cybersecurity for SAP and integrate it into the overall cybersecurity program. A cybersecurity program is a holistic, all-systems program that assesses every application and device, incorporating the unique needs and requirements of each, and also focuses on risk management. If the network security program treats SAP like any another application on the network, it is a large vulnerability. Have IT and dedicated security teams shadow one another for a few days so they can learn from each other. Let the network security teams see what the SAP team does to configure the system. Then, let the SAP team see how the network security team configures and monitors the network. Cross-training teams will ensure that each understands the importance of the role the other performs and will help better integrate each team into a broader cybersecurity program.
• Ensure that you are prepared to defend against AI-driven cyber threats. It is crucial that organizations prepare against future AI threats. Part of this strategy will involve collaboration with other SAPinsiders and cybersecurity vendors in tackling generative AI threats. Other steps involve risk assessment and management, staying aware of emerging threats, regular training, and having access to advanced tools and capabilities. Only by combining all these capabilities will organizations be prepared against AI-driven threats.