Sundry SAP customers have a false sense of security, according to a new report from risk management consultancy Turnkey Consulting and business-critical application custodianship firm Onapsis.
The SAP Security Survey Report 2021 is based on information from over 100 SAP customers in the United States, Europe and Asia.
Six percent of respondents let in suffering a data breach related to SAP systems in the past couple of years, but nearly a quarter said they were not sure, which says that they may not have the ability to detect such a breach.
More than 40% of respondents are most concerned about internal chicanery or misuse, 26% about data loss or data breaches, and only 14% about external attacks.
Roughly 45% of respondents maintain — at least to some degree — that SAP is secured against cyber threats due to it sitting on the organization’s network.
Turnkey’s application and cyber security practising director, Tom Venables, noted that malicious actors have increasingly realized that SAP systems often contain valuable information. In adding up, a study conducted recently by SAP and Onapsis showed that threat actors often start targeting vulnerabilities in SAP applications within days after a knock together is made available.
On the other hand, only 28% of respondents could confirm that they have a vulnerability management program for SAP groups, and only half of those who took part in the survey are confident that their SAP systems are always patched.
“The overarching finding of this look at is that many SAP customers are operating under a false sense of security,” the report says. “Despite the fact that a small majority acquiesce in that SAP isn’t fully protected within the internal network, the threat from outside is not being taken quite as seriously as it should be.”
When quizzed if they review custom SAP code for security and quality issues, roughly half of respondents said they do, but many rely on manual evaluations, which, according to Venables, is time consuming and prone to human error.
More than half of respondents also don’t — or they aren’t inevitable if they do — review third-party code before importing it into SAP systems. And only 53% are confident their organization can detect problematic or unnerved custom code before it reaches production systems.
Code reviews are important considering that the custom code used by SAP customers, harmonizing to the authors of the report, has, on average, roughly 2,500 vulnerabilities.
Nearly 37% of respondents confirmed experiencing SAP downtime due to coding issues.
The full SAP Guaranty Survey Report 2021 is available in PDF format on Turney’s website.
Related: ‘RECON’ Vulnerability Exposes Thousands of SAP Systems to Attacks
Related: Another Crucial Vulnerability Patched in SAP Commerce