ERP Cybersecurity 2017 Survey - ERPScan · CYBERSECURITY TRENDS REPORT 4 All kinds of data (except...
Transcript of ERP Cybersecurity 2017 Survey - ERPScan · CYBERSECURITY TRENDS REPORT 4 All kinds of data (except...
2017 SURVEY
ERP CYBERSECURITY
PR
ES
EN
TE
D B
Y
Group Partner
InformationSecurity
This report reveals the latest data points and
trends in cybersecurity, shares how your peers
are approaching security, and provides valuable
benchmark data that will help gauge how your own
organization stacks up compared with others.
Many thanks to our sponsor ERPScan for supporting
this exciting research project.
Thank you,
Holger Schulze
OVERVIEW
ERP Cybersecurity.
Why should you care?
Just 7 years ago ERP security was a
synonym with Segregation of Duties.
Nowadays, leading analysts list ERP
security as a topic to watch that proves
that this subdivision of the industry
is widely recognized as increasingly
important and distinct area.
ERP security is a rapidly growing
market now as businesses started
paying attention to this area of
cybersecurity. This happened not least
because of real attacks against ERP
Security, first of all, the US-CERT alert
addressing vulnerabilities in SAP, which
hit headlines in 2016. Let’s look why
ERP Security is important and what
business applications are.
2
Holger SchulzeFounder Information Security Community on LinkedIn
Group Partner
InformationSecurity
CYBERSECURITY TRENDS REPORT
CYBERSECURITY TRENDS REPORT
TABLE OF CONTENTS
MOST SENSITIVE INFORMATION
MOST CRITICAL BUSINESS APPLICATIONS
MOST USED BUSINESS APPLICATIONS
ERP SECURITY RISKS
SAP SECURITY INCIDENTS
COST OF AN SAP ATTACK
ERP SYSTEM RESPONSIBILITY
ERP SECURITY PROGRESS
ERP SECURITY AWARENESS
ERP SECURITY INITIATIVES
ANALYZING ERP SYSTEM SECURITY
CYBERATTACKS AGAINST ERP SYSTEMS
TAKEAWAYS
METHODOLOGY & DEMOGRAPHICS
CONTACT US
4
5
6
7
8
9
10
11
12
13
14
15
16
17
19
CYBERSECURITY TRENDS REPORT 4
All kinds of data (except DevOps) are stored in different SAP systems such as ERP, HR, or others, that makes them the most important assets to protect. Securing sensitive information is a key concern for all companies, also driven by regulation that require certain sensitive information be protected. Cybersecurity professionals are most concerned about protecting customer data (72%), employee data (66%), and email (54%).
MOST SENSITIVE INFORMATION
Q: What types of sensitive data are you most concerned about protecting?
Contracts,invoices, orders
72%Custo
mer d
ata
66%Em
ployee
data
54%
35%Financial
corporate data
46%
Healthinformation
DevOps / development
data
Sales &marketing data
33%
21%
21%
47%Inte
llectu
al
property
CYBERSECURITY TRENDS REPORT 5
MOST CRITICAL BUSINESS APPLICATIONS
Q: What are the most critical business applications?
Most of the respondents find ERP the backbone of enterprise security. Troubling that it is one of the most vulnerable systems. More than 2500 vulnerabilities affecting SAP ERP were closed. Enterprise Resource Planning (ERP) is considered the most critical business application by 61% of respondents. This is followed by financial systems (57%) and customer relationship systems (CRM) (55%).
FinancialSystem (FI)
ERP57%
61%55%
Customer RelationshipManagement (CRM)
39%
Human CapitalManagement (HCM/HR)
Business Intelligence (BI/BW) 36% | Supply Chain Management 32% | Product Lifecycle Management (PLM) 30% | Enterprise Asset Management (EAM) 27% | Supplier Relationship Management (SRM) 18% | Manufacturing Execution System (MES) 18%
CYBERSECURITY TRENDS REPORT 6
MOST USED BUSINESS APPLICATIONS
Q: What kind of Business applications are used in your company?
SAP is the leader on Business Applications market and serves 87% of Fortune 2000 customers. It plays a vital role in a global production, for example, SAP Systems are engaged in 75% of world Oil production.
OraclePeopleSoft
29%
SAP
56% 24%
MicrosoftDynamics
20%
Oracle EBS
15%
Oracle JDEdwards
10%
Infor
Other 7%
When we speak about SAP Systems (especially with C-level executives), the traditional CIA triad (confidentiality, integrity, and availability) transforms into Espionage, Sabotage, and Fraud, which are considered the main risks. As for the first one, if somebody gets access to an SAP system, he or she can obtain information about HR, finance, credit cards, and any other critical data. Hackers can also commit sabotage by executing denial of service attacks, thus making any operation in the system unavailable. More dangerous is that an SAP environment is usually connected with company’s critical infrastructure such as plant floor devices, asset management systems or even ICS and SCADA.
The last and the most widespread risk is fraud, which is well known by organizations using SAP. If external attacker or malicious insider gains access to more privileges than required to accomplish the work, he or she can steal money or falsify information.
ERP SECURITY RISKS
CYBERSECURITY TRENDS REPORT 8
SAP SECURITY INCIDENTS
Q: Which of the following incidents related to SAP Security have you heard about most?
There is still a lack of awareness in SAP Cybersecurity. Only 31% of respondents have heard about the most infamous incident (US-CERT alert on potential Chinese attacks on SAP systems), and such results were gained by surveying among people who are interested in ERP Security. Only worrisome 4% have heard about the episode with the direst consequences – USIS data breach started with an SAP vulnerability, which led to the company’s bankruptcy.
Other
31%
29%
11%
9%
9%
4% 7%
US-CERT alert on Chinese attacks onSAP Systems of 30+ companies in 2016
None
Cyberattack on SAP system of the Greece Ministry of Finance in 2012
SAP Trojan targetingSAP users in 2013
NVidia customer service website(with SAP backend) intrusion in 2014
USIS bankruptcy causedby SAP vulnerability in 2015
CYBERSECURITY TRENDS REPORT 9
COST OF AN SAP ATTACK
Q: How much would an attack on SAP cost your organization?
The following results were collected from the companies with 1000+ employees. Most respondents consider fraud the most costly risk.
FRAUD
less than1M USD
1-5MUSD
5-10MUSD
10-25MUSD
25-50MUSD
50+MUSD
33%
23%
12% 12% 14%
6%
ESPIONAGE
less than1M USD
1-5MUSD
5-10MUSD
10-25MUSD
25-50MUSD
50+MUSD
40%
18%12%
7%
17%
6%
SABOTAGE
less than1M USD
1-5MUSD
5-10MUSD
10-25MUSD
25-50MUSD
50+MUSD
29% 30%
15%
6%
17%
3%
The average ERP security breach causes $5 million in damages.
CYBERSECURITY TRENDS REPORT 10
ERP SYSTEM RESPONSIBILITY
Q: Who will be responsible if your ERP System is breached?
The key problem of SAP Security is a lack of responsibility. Usually, CIO thinks that CISO is in charge with cybersecurity, while CISO supposes that this is CIO who is accountable for SAP in general as SAP team has its own security department. Consequentially, at the end of the day, SAP systems security is left unattended.
CRO
28%
43%2%
Other
11%
CISO
9%ERPAdministrator
7%ERP SecurityRepresentative
CIO
CYBERSECURITY TRENDS REPORT 11
2016 was a game-changing year for the ERP Security. Publication of the SAP Cyber Threat Report, US-ERT alert together with slides about the importance of ERP Security demonstrated at the Gartner Security Summit and in GDPR were the key indicators that it’s time to take SAP Security initiatives.
Nowadays, SAP security measures are not a question of “if”, but “when”. Some companies have already started this process, some just planning to take their first steps in 2017. Let’s look at SAP Security awareness in general.
ERP SECURITY PROGRESS
CYBERSECURITY TRENDS REPORT 12
ERP SECURITY AWARENESS
Q: What is your level of awareness in regards to ERP security?
Only 30% of responders continuously monitor, analyze, and remediate SAP Security issues. However, only a comprehensive and constant approach can guarantee an adequate level of protection.
Just read aboutERP Security insome reports
27%
Read a fewarticles, understand
importance,but never tried
to check it
27%
Carried out a fewchecks manually
20%
Continuouslymonitor or scan
as SaaS ormanaged service
22%
Conducted Pentest orsecurity assessmentby a 3rd party
33%
Use ERP Securityon-premises
software to identifyanalyze and remediate
29%
CYBERSECURITY TRENDS REPORT 13
ERP SECURITY INITIATIVE
Q: When did you first decide to deal with ERP Security?
The interest in SAP Security is continuously growing. Nonetheless, the vast majority of respondents is just planning to start ERP Security initiatives for 2017
30%
2010
Before2010
2013 2016 2017
Planning to startthis initiative in 2017
25%
Between 2014and 2016
20%25%
Between 2010and 2013
CYBERSECURITY TRENDS REPORT 14
ANALYZING ERP SYSTEM SECURITY
Q: How often do you analyze security of your ERP systems?
Forty-four percent of respondents analyze the security of their ERP systems at least monthly, 25% even continuously. An alarming 14% of respondents say they never analyze security of their ERP systems.
at leastonce montly44%
25%
14%
21% 21%
15%
4%
Never Yearly Quarterly Monthly Weekly Continuously
CYBERSECURITY TRENDS REPORT 15
CYBERATTACKS AGAINST ERP SYSTEMS
Q: How will the number of cyberattacks against ERP Systems change within the next 2-3 years?
Eighty-nine percent of IT security professionals expect the number of cyberattacks against ERP systems to increase - 30% of them expect a significant increase.
Increasesignificantly
Increase expect cyberattacks againstERP systems to increase
30%
59%
Will notchange
9%Decrease2%
89%
CYBERSECURITY TRENDS REPORT 16
TAKEAWAYS
There are 3 areas that should be taken into account to protect a company from attacks of different types. In this view, there are 3 types of defensive measure, which recommended to be taken as a gradual approach. The steps must be carried out as follows: the first within 3-6 months; the second within 6-18 months; and the last within next 6-12 months as a supplement to the basic option (the first 2 steps).
INSIDERS AND IMPROPER ACCESS CONTROL
1. Basic access control checks and password policies
2. Segregation of duties checks
3. Transaction monitoring and user behavior analytics
SOFTWARE BACKDOORS AND INSECURE DEVELOPMENT
1. Dev, test and prod landscapes separation
2. Scanning and fixing code for vulnerabilities and backdoors
3. Virtual patching and/or auto-correction for code vulnerabilities
PLATFORM VULNERABILITIES AND MISCONFIGURATIONS
1. Vulnerability assessment, Penetration Testing or Security Assessment
2. Continuous Monitoring for security issues: in-depth configuration analysis and vulnerability management program with risk analysis and remediation
3. Threat detection and event monitoring
METHODOLOGY AND DEMOGRAPHICS
CYBERSECURITY TRENDS REPORT 18
METHODOLOGY & DEMOGRAPHICS
The 2017 Cybersecurity Trends Report is based on the results of a comprehensive online survey of over 1,900 cybersecurity professionals to gain more insight into the latest security threats faced by organizations and the solutions to prevent and remediate them. The respondents range from technical executives to managers and IT security practitioners. They represent organizations of varying sizes across many industries. Their answers provide a comprehensive perspective on the state of cybersecurity today.
CAREER LEVEL
23% 23% 16% 8% 8% 4% 4% 14%
Specialist Manager / Supervisor Consultant Director CTO, CIO, CISCO, CMO, CFO, COO Vice President Owner / CEO / President Other
DEPARTMENT
IT Security IT Operations Engineering Operations Compliance Sales Other
INDUSTRY
Technology, Software & Internet Government Financial Services Healthcare, Pharmaceuticals, & Biotech Professional Services Education & Research Manufacturing Telecommunications Computers & Electronics Other
COMPANY SIZE
Fewer than 10 10-99 100-499 500-999 1,000 4,999 5,000 – 10,000 Over 10,000
40% 24% 9% 6% 3% 2% 16%
7% 16% 19% 7% 18% 7% 26%
22% 10%19% 10% 8% 13%7% 4% 4% 3%
CYBERSECURITY TRENDS REPORT 19
CONTACT US
ERPScan is the most respected and credible SAP and Oracle Cybersecurity provider. We function in two hubs,
located in the Palo Alto and Amsterdam to operate local offices and partner network spanning 30+ countries
around the globe. ERPScan was distinguished by 40+ awards and is the leading SAP SE partner in discovering
security vulnerabilities.
Keep up to date with latest ERP Cybersecurity threats and news!
SAP Cybersecurity resources - whitepapers about ERP Security https://erpscan.com/research/white-papers/
ERP Cybersecurity blog – subscribe to our blog to not to miss all the latest newshttps://erpscan.com/category/press-center/blog/
SAP Cybersecurity threat report – monthly reports focused on the latest SAP Security updates and review of SAP patcheshttps://erpscan.com/tag/sap-security-notes/
ERPScan Security Monitoring Suite for SAP – the most comprehensive SAP Security solutionhttps://erpscan.com/products/erpscan-security-monitoring-suite-for-sap/
EAS-SEC - The EAS-SEC Enterprise Application Security Project provides security guidance for those who involved in the procurement, design, and implementation of Enterprise applicationshttp://eas-sec.org
www.erpscan.com