Navigating ERP Cyber Threats With KPMG and SAP

SAP systems have evolved from siloed, back-office applications into the interconnected digital core of modern business. This centrality makes them a prime target for cyber threats. Recent SAPinsider research underscored the fact that 23% of organizations experienced a cyber-attack that directly impacted their SAP environment in the past year. Attackers’ motives have also shifted, and adversaries are no longer just disrupting operations. They are targeting an enterprise’s intellectual property, financial plans, and sensitive customer data.

A Moment of Risk and Opportunity

According to the KPMG and SAP white paper entitled “Protect your SAP ERP landscape,” the migration to SAP S/4HANA is a critical inflection point in every organization’s cybersecurity journey. This transition reshapes the IT architecture, introducing new components and interfaces that create more potential entry points for attackers. The white paper highlights several specific risks that emerge during this process:

• The introduction of new application functionality can render legacy controls ineffective before new ones are implemented.
• New data tables and structures require exhaustive testing and validation to ensure integrity.
• Enhanced real-time data access opens new vectors for unauthorized entry through multiple layers, including the database and advanced reporting tools.
• New interfaces connecting to public and private cloud environments may be insufficiently hardened, requiring strong controls and continuous monitoring.
• In cloud models like RISE with SAP, the lines of security responsibility between the organization, SAP, and hyperscale providers can become blurred, creating dangerous gaps if not explicitly managed.

Despite the risks, this transformation offers organizations an opportunity to reset security. It is the ideal moment to discharge legacy models and enhance security to align with contemporary requirements.

A Framework for Resilience

To navigate this complex environment, the KPMG and SAP relationship advances a philosophy that security is not a destination, it’s a journey. This reframes cybersecurity from a one-time project into a continuous, adaptive process. This journey is operationalized through a six-step cycle:

1. Assess: Evaluate the current SAP security posture to identify risks.
2. Strategize: Define clear, business-aligned security objectives.
3. Operationalize: Embed cybersecurity into daily operations with established policies.
4. Test: Perform assessments and test controls to validate effectiveness.
5. Detect: Employ threat intelligence and monitoring to identify malicious activity.
6. Monitor: Implement continuous monitoring and automation to maintain security.

The intellectual cornerstone of this approach is the SAP Secure Operations Map, a comprehensive framework providing a blueprint for action. This tool offers a holistic view of security across five distinct levels of the entire SAP technology stack.

They include addressing strategy, governance, and risk management; processes that cover regulatory, compliance, data privacy, and fraud management; securing user identity, authorizations, and custom code; technical hardening and security monitoring; and securing the underlying network, operating system, and database infrastructure.

By providing a common language and a unified framework, the map breaks down the organizational silos that often undermine security efforts. It enables organizations to move beyond a narrow, compliance-driven focus to a proactive and holistic strategy, building genuine cyber resilience to protect their most critical assets against an ever-evolving threat landscape.

What This Means for SAPinsiders

Reframe security as a business requirement, not an IT cost. The conversation around SAP security should evolve from a technical, compliance-based discussion to a strategic, risk-based one. With the average price of ERP system unavailability estimated at $50,000 per hour, security must be a core business management function. The focus should be on how much risk the business is willing to accept, not simply how much security costs. SAPinsiders should also work with trusted advisors like KPMG that can help them by providing extensive security advice that goes beyond standard ERP into specific industries.

Use a SAP S/4HANA migration as an opportunity to reset security goals. The migration to SAP S/4HANA is a singular opportunity for organizations to overhaul and modernize their security posture. Instead of treating security as an afterthought, embed it into every phase of the transformation project. A simple lift-and-shift of legacy security practices into the new, hyper-connected SAP S/4HANA architecture will only embed vulnerabilities into the future digital core of your enterprise.

Adopt a unified and continuous security framework. Security is not a one-time project but a constant journey against an evolving threat landscape. To overcome the typical organizational silos between SAP and central security teams, adopt a holistic framework, such as the SAP Secure Operations Map. This creates a common language for risk assessment and a shared set of objectives, ensuring that protecting your most critical systems is a collective, ongoing effort. Moreover, advisors like KPMG certified consultants offer customized, data-driven solutions for the entire technology stack. This includes everything from security assessments and governance to proactive monitoring and incident management.

Learn more: Protect your SAP ERP Landscape: Secure your data in a cyber threat environment with KPMG and SAP.

Some or all the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.