On the face of it, cybersecurity should be at the top of the list when it comes to SAP user organisations’ priorities. Indeed, there’s reason to think that applies now more than ever: according to the National Fraud Intelligence Bureau, UK individuals and organisations reported losses of £1.3 billion to fraud and cyber-crime between 1 January and 31 July 2021. For reference, that’s over three times the corresponding figure for 2020 of £414.7 million.
Yet the issue is arguably given less focus than it should - especially when half of UK workers now work from home at least some of the time, and hackers now have gateways into business networks via the personal devices of remote workers. A 2021 HP survey of over 8,000 office workers around the world who shifted to home-working during the pandemic found that nearly one-in-three (30%) let someone else use their device, while
One major threat for SAP user organisations is neglecting to patch their business-critical SAP applications, thereby running the risk of cyber-attacks. Though this might sound obvious, a 2021 report co-authored by SAP and cloud security company Onapsis suggests many SAP user organisations were failing to patch these apps even at the height of the COVID-19 pandemic.
The report discovered "evidence of 300+ automated exploitations leveraging seven SAP-specific attack vectors" during the first three months of 2021. Alarmingly, some of these attackers were said to implement patches post-attack, as if to leave no ‘smoking-gun’ evidence of their crimes.
Through sophisticated attacks like these, organisations’ business processes could easily be disrupted, and sensitive data stolen. The report even suggested SAP user organisations could fail – inadvertently – to comply with data protection legislation.
A second potential threat to organisations using SAP is increased workforce mobility. Products such as SAP Fiori have increased the accessibility to SAP applications to people wherever they are based.Yet this also can increase potential security risks from mobile devices falling into the wrong hands, employees using insecure networks to access business systems and end-user devices simply not being patched or properly secured.
Third - and perhaps most preventable - is the threat posed by a lack of training for staff at SAP user organisations. A 2020 UK government report found less than one in four businesses invest in training for staff in cybersecurity roles, while also finding that over one in four businesses (27%) lack staff with the necessary skills to respond to a cyberattack. Without the right training, both technical and non-technical staff may be inadvertently exposing their organisations to attacks.
With these concerns in mind, UKISUG’s recent virtual event explored how SAP user organisations might mitigate against cybersecurity threats. Created in conjunction with SAP, the event aimed to paint a broad picture of the risks and responsibilities faced by SAP user organisations.
Speakers included Tata Steel UK’s CISO, Nigel Henderson, and Turnkey’s GRC chief, Andrew Morris, while Sukhdeep Singh – head of roles, governance and compliance at Vodafone – talked about how user access is managed at the telecoms giant. Attendees were also able to watch a demonstration of a cyberattack and how an organisation can respond in real-time.
With recent events in Ukraine further highlighting the need for strong cyber defences, SAP users more now than ever should be ensuring their enterprise applications and data are secure. Make sure to follow our Cybersecurity SIG to get the latest info and advice on how to protect your SAP environment.< Back to all news
Our latest insights and thoughts